This argument is specious at best. We must hold all parties involved to the same level of standard as any, at all levels because a breach of trust at any size is seriously damaging to the consumer. It doesn't matter about the size of the Corp.
One is having approximately equivalent alternatives. If something is wrong with a particular kind of chewing gum, I can easily switch to the next brand over. But when that's not the case, standards should be higher, because normal market forces no longer constrain players in the same way.
The other is the size of the potential impact. If one corner-store merchant keeps their credit card receipts in a box under the counter, it's a much smaller problem than, say, Target or Home Depot keeping them in a poorly secured network.
I think it matters, if only because it's more efficient to complain about the big corporations that everyone is familiar with than about some unknown startup few people care about.
If you only have limited time and energy for activism, you have to go for the bigger targets (to make it easy to collaborate with other activists) or go for the most local targets (because you may have a comparative advantage).
