" But the limpwrists at the ICO have already said that they're going to go softly softly on enforcement this year, preferring education and improvement."

I think you will find that blatant incompetence with widespread impact will still result in a large fine. The softly softly is for stuff that's new under GDPR and that might not have been clearly understood or implemented in time.

