(In the enterprise software world, I can tell you how epic failure to perform on an 8+ figure contract unfolds: the sales guy takes a VP out to the next game so they can discuss it over drinks in the corporate box and nothing will change)
a breach wasn't found, but that contracting company eventually became bankrupt under the weight of our negative press and litigation. I know that this is essentially bullying but it was used as an example to other contractors who might try something like that.
Incidentally the SaaS provider no longer exists, gobbled up by netsuite (which was, itself, acquired by Oracle).
If a company with weak data-protection standards wins out over a company with strong ones, it's never because of their lack of data-protection standards. Rather, it'll be because all the other features, pricing, marketing, etc. they can do that's the opportunity cost of decent security. So as far as the information available to laypeople is concerned, most companies do a decent job with security and it's just a few bad apples that happen to be gigantic like Equifax, Facebook, Target, Yahoo, Anthem, and the U.S. government that are screwing things up.
(FWIW, at Google we took security very seriously and implemented some truly heroic measures to keep your data safe.)
Experian didn't lose any customer data, though. They only lost data on their products. Their actual customers had no reason to stop paying for their services.