Speaking from experience
Actually, it's frequently the case that the Data Protection Officer or similar doesn't have the authority to mandate particular security measures and even more frequently it's those in charge of the IT budget who are obstructive. "We don't have the budget" is the most common refrain, especially if it would take a ludicrously expensive change request to the outsourced service provider to get anything done.
A few years back I was working in a reasonably high profile public sector watchdog organisation with access to some extremely sensitive data. My manager and I could emphasise the need for encryption of all laptops till we were blue but were told no. It was the Head of IT who actually said "It's too expensive, too time-consuming and too irritating, so we're not going to do it". Fortunately (in a way) the HMRC data debacle happened the next week, so that position had to be reappraised.
High profile losses and fines do actually serve to force other organisations to get their houses in order and the fact that the ICO is levying fines might help - though the lack of custodial sentences means that the deterrent effect is still limited.
It's all very well to harp on about firing the DP person, but I suggest it would be more appropriate to investigate each incident first, find out who acted against policy and who failed to put decent security in place, who didn't act on proper recommendations before calling for your pound of flesh.