". . . no legal obligation on data controllers to report breaches of security"
Well there's your problem right there. In a world where our governments insist they know increasingly intimate details about our lives, and that they be trusted to do so, it's simply not good enough that all possible measures are taken to secure what data is collected and held, no matter the reason for its collection.
One would argue that a strict, mandatory reporting requirement would be the very basis of any such program. The word they need to become acquainted with is "accountability". Not a popular word amongst civil servants but one could argue that it goes with the the title - if one is a servant of the people then it stands to reason that one should be accountable to those people.