Unlikely to change anytime soon
I am firmly of the opinion that absolutely nothing will change until businesses feel a direct, immovable financial impact from failing to secure their systems. I'm not talking about having to pay for a year of credit monitoring here, that is a fig leaf. You need something of similar monetary force to an audit statement that basically says, with force of perjury behind it, "my network is clean" like an audit statement says "my books are clean". Failing to have that, or having to retract it, is then to be ruthlessly punished by the market.
When businesses feel fear -- real, brown-trousered fear in the C-suite -- then they act. Until then, nothing much.