Could the researches be looking for the wrong benefit

Mich, perhaps we are just looking at this result from the wrong angle. Assume the number of attacks like this have gone up. I can't prove this and haven't done any research to support this notion but hang with me for a minute here. If the number of attacks have gone up, but the number of incidents has not had a substantive change, perhaps the law is having the desired effect after all. Indeed, were no steps taken by companies then I contend the incident rate could have increased, possibly significantly. That it hasn't means that, at least superficially, some progress has been made in this area.

Now to the contention: the number of attacks has increased over time. If you take a step back, hack, cracks, and all that sort of thing has been significantly increasing over the last several years. It feels like an exponential increase but whatever the rate, it is significantly more than just a few years ago. It seems reasonable to assume that attacks looking for personal information would also have increased commensurate with all the other attack vectors. That said, I do not have any data or studies to support this notion; perhaps you do since you deal with this more intensely than others. I don't know how you'd count the number of unsuccessful attacks: if security measures prevented it, how would you know it was even tried?

So if you accept the notion that attacks are on the increase, then perhaps things are not as bad as they might seem. Perhaps it's just a matter of perspective.

Are matters as good as they can be? That does not seem a viable contention as there is always room for improvement. In this matter as in most, security is never a destination but a journey. We can always make things better. I'm just not sure if the effort companies have made over the past several years have been as unfruitful as you make the effort out to be.