Security is not simple or cheap
Most exploits are run by insiders, outside crackers obviously exist, but for the main part more money is lost from the internal threat.
The problem is people are paid a comparable amount whether they work on security sensitive data, or data in which security is not an issue.
CEOs like to have access to all data, as do admins and security folk, all of them represent a possible point of high compromise, that affects a lot of information.
No one can really be trusted when the environment is competitive, knowledge is power, and power is alluring. Concepts such as split passwords, where at least 2 or 3 people are required to open the data from a pool of about 6, who then sign off that the data was not then subsequently copied is probably going to have be the norm rather than the exception. And the audit trail is the most important, which should be handled by a couple of entities. All of this costs money and time though.
Basic encrypted security, obfuscation, trust and tight audit trails of access are probably the workable solution to IT security.
Trust is the interesting one really, and that encompasses a number of elements. And this is the key reason for compromise. It is how you measure trust that is the problem. Internal compromise usually happens when some other event has occurred before to weaken trust.
The audit trail is perhaps the weakest one at the moment for IT security, of course logs of access exist, but they should be made more public, with people signing off when they accessed accompanied by the reason for access.
There is no privacy right when you are viewing other people's information, only when viewing your own. If people realised they had to account for their access, then most internal breaches would not occur, it would also help in identifying when an external breach occurs.
The other thing to realise, is that holding data can be made more of a burden than an enabler, and laws which limit data retention held on third parties are a good move to increase that burden. Some companies think it is legal to hold internal data lists on third party suppliers, grading them so others in the company can then select them later as preferred suppliers and not informing the suppliers that this data is being held. This goes against the data protection act, but it is fairly common. Credit cards are often held by ecommerce sites, to enable quick purchases later, but of course it does make the site a target, and there is a cost associated with securing that data. The law should make a compromise more expensive to those who insist on holding CC details online, to ensure people actually put in the security safeguards and are actively monitoring the situation and improving the security all the time.
As to the inside problem of security that is not malevolent, unfortunately nowadays you have to keep a shit list; record the time you said you had grave concerns about being asked to copy that database and send it via mail, all unencrypted or encoded with some so called encryption algorithm, or when you asked the client if they wished to ensure that tainted data could not be used as an injection attack on current known vectors, and they said, 'no, just get the project done'.
Copper nicker policy really, let them be insecure, but make sure you record when it occurs and the fact you advised against it. If you are too obtuse and you lay down the law, then it makes it hard to operate in business.