I think it is a reasonable expectation that companies dealing with personal information should have a certain security standard. You can argue that the market will take care of the issue, and that some corporation will emerge from the chaos promising both the features you want and the security you want. However, most people are too unfamiliar and uneducated to demand better security. Furthermore, there is little, if any, profit margin from doing it.
We (in the US) expected broadband internet providers to compete and provide us better service, and that never happened. Why are corporations going to want to spend money on security and make a better product for us if they don't have to?
I can see having a security standard being onorous for small businesses, and maybe they should be exempt from standards (unless they deal in medical history, credit info, SSN's, or large quantities of personal data.) But if you're pulling in millions of dollars a year, I don't want to hear about how you can't afford proper security. A site like Ashley Madison? Give me a break. Make it mandatory to put a big red flag on your site if you can't meet a certain level of security. Right now nobody knows what is secure and what isn't.