I've worked in government, where regulations forced specific security requirements. Because the regulations were based on some guy's understanding that was slightly outdated and slightly questionable at time they were written, they were completely outdated and foolish by the time we were following them.
As an example, regulations require the use of MD5, though weaknesses were found in MD5 in 1996 and it was more completely broken in 2004-2007. SHA-1, SHA-2, or SHA-3 would be much more secure, but regulations require MD5.
The federal standards relating to classified information are *better* at confidentiality though they don't account for the most recent threats, but they are wholly inappropriate for many tasks. They're also expensive and restrictive to implement because they require that each module by certified ("validated") which can take two years and several hundred thousand dollars - per module.
If there's anything that can be done on the legal side which can actually work, I think it'll be around liability. If you sell a product or service that gets hacked, you're liable unless you can prove that you followed best practices. A problem there is apparent if you've watched a locksmith unlock a few things. I used to work as a locksmith, and most locks, locks that follow industry standards, take about 30 seconds to open (hack). The highest security locks you'll normally find are made by Medeco. They take many minutes, even an hour or more, to open without a key. IT security isn't completely different, there's no magic that will keep a skilled attacker from abusing a system.
What we *can* do is harden systems against script kiddies and accidents - be sure that our systems don't allow employees to accidentally set our customer database to be directly accessible via the web, and our web site doesn't crash when John O'Reilly registers because he has an SQL "quote" in his name.
I've been doing information security full time for twenty years and before that I studied law. I don't see any clear way that law can improve information security much. Attempts to do so may well just make things more expensive, and possibly no more secure.