Won't somebody think of the . . .
Let's put aside the "IT need to talk 'exec' and sell their proposals better" angle.
I hear Don, above, and I understand what he is saying. I also happen to agree with him. As an IT bod, you are employed to assist the business by using your technical expertise - just like any other specialist. If it's your (expert) opinion that the business will be best served by X then damned well do your darndest to make sure X happens.
Okay, now I'm ready to put that aside . . .
Doing so, let's turn to WHY these regulation exist. They don't exist so a board can realise a compelling ROI, nor so that an IT staffer can take control of his job; they exist to protect the public, by protecting their information.
The problem here is not that IT haven't sold it well enough, but that the privacy commissioner and those who are making these laws, haven't sold them well enough - the price is wrong. They need to understand that businesses are wont to see such fines as simply a cost of doing business. That is where punitive damages come n.
Such damages are awarded by a court in cases of business malpractice in part to discourage businesses seeing fines as a line item in their budget, offset by the money they save by being dicks. It happens in insurance cases where particular bad will has been shown. (Though not enough.)
They way to redress this is to make the risk of non-compliance higher than the cost of compliance.
The commissioner has to ask why these laws and regulation exist in the first place. If the goal is to protect the public (and it should be) then they need to get serious and impose fines that are actually a deterrent. After all, if, I have my identity 'stolen' then I the inconvenience, cost and stress to me is likely to be FAR more, comparatively, than the inconvenience, cost and stress or having to pay a (max) AUD 1.3m fine is to the company forced to pay it. Multiply that by the number of people affected by the hypothetical breach and $1.3m may well start to seem laughable.
Short version?
The penalties for putting your customers at risk must be severe enough to prevent companies being able to write it off as business cost.