Before I was allowed to hand out juice cups at my kids' preschool, I had to do a 2 hour food safety course and was subject to periodic inspections. That is infinity% more oversight than I received when storing highly sensitive information for ~10^5 users.
Though I'm sceptical it would help. API design is generally not taught in university courses, and perhaps shouldn't (too specific).
I instead feel that GDPR has already done a lot of heavy lifting. By raising the price of "find out", people got a bit more careful about the "fuck around" part. It seems to push companies to take it seriously.
The step two is forcing companies to take security breaches and security disclosures seriously, which CRA (Cyber Resilience Act) may help.... at the cost of swamps of byrocratic overhead that is also included ofcourse.
I mean, do you trust that the chemical industry will self regulate and keep dangerous chemicals out of your drinking water?
Then why do we trust software companies to keep you and your data safe?
We will get more regulations over time no matter how much we complain about it because people are rather lazy at the end of the day and more money for less work is a powerful motivator.
Though I wanna raise that, CRA may be an unfathomably high bureaucratic load on software companies. If it were just about security disclosure, it would be quite manageable.
As it is formulated in its current form, CRA sets the general software development industry... to the current industrial automation and automotive standards; which is absurd.