which was launched following the TalkTalk cyber attack
Which one?
It would help if we had regulators that actually enforced the law rather than try and find excuses for the mistakes. Talk Talk for example has had problems more than once, but they have yet to face any serious sanction as a result of this.
With that sort of lack of action from the government it's hardly surprising that so many companies choose to do as little as possible. It's probably the cheaper of the two options, even with all those breaches (many of which I would wager the public are never told about).