Here's a thought
Stick your badges where the sun doesn't shine (preferably with the safety pin sticking out)
Why not get the spooks at GCHQ to do frequent, unannounced pen tests on any UK websites? First strike and you get a notice to improve (and a public shaming too?), second strike and you incur proper, proportionate penalties. Would also provide a good training ground for noob cyber-spooks, possibly incentivise it with a pay bonus (based on the size of the target/level of compromise uncovered?) and give them all some alloted weekly time to spend on it.
Biting the hand that feeds IT
