The company running a tight ship front-loads risk costs. The firm that doesn't is arbitraging present vs. potential future costs. The apparent lower costs are illusory.
A lot of the time the costs aren't actually payed by the breached party though. Most customers don't meaningfully change behaviour due to security breaches and meaningful fines are the exception, so your biggest risk is a breach benefitting your competition. If most of the costs can be externalized there is little incentive to care about them.
