An alternate, market-based solution would be insurance companies who impose requirements for insurance. That increases the chances of finding an economic balance between security and productivity. A government regulation applies to everyone, even if it no longer makes sense: an insurance company whose requirements are out-dated will be out-competed by others, while an insurance company whose requirements are insufficient will go out of business.
but the OP's arguments also apply to insurance, yet businesses buy insurance every day. The difference is the fines and liability for data breaches are so paltry it is the rational thing to do not to invest in security. This can only change through legislative action. I wouldn't hold my breath.