And the second major CDN outage in a few months is also affecting 0% of the websites I want to visit.
I'm afraid this will be yet another "this happens to everyone big enough, it's just part of the business" argument, just as with data breaches and ransomware. Until it reaches a scale we're watching right now with the latter, when these idiots' irresponsibility and greed actually leads to catastrophic consequences.
Role of CSO and CISO is quite challenging as in many cases they will be positioned under CFO or CEO, and *their* objectives is profit, and in most cases short-time profit. Only in highly regulated institutions (like banks) CSO can stop a crappy business project from going live for security reasons, and even then you hear arguments like "oh that 2m FSA fine would be only 5% of out turnaround".
I agree that it's pretty much always a numbers game. If they see it as a small risk of a small fine then they're not going to do much about it. Loss of trade secrets and brand reputation damage are the ones where I see them as more flying blind.
This is actually also quite rational from their point of view as reputational damage is usually close to zero, any share price drops are temporary, and media coverage is usually compassionate, portraying them as victims rather than ignorant and risk-taking idiots who put others at risk. Nobody stopped doing business with Experian or Accelion after all. Bankruptcies are rare (e.g. AMCA).