There is a vast difference between it not being 100% impossible and data holders not doing the absolute basics to keep it safe.
I could imagine if, after a data breach, there was a government-run cyber investigative task force that would come into an organization, and be tasked with investigating and fully understanding the nature of the breach. We already have forensic detectives for other crimes, why not this one?
And if it turns out that the failure occurred due to the company acting negligently, a la (whoopsie all the records were in an open S3 bucket) then humans would be found personally liable.
--
But in principle, i also agree with the other causes you list. These are very much what GDPR was aimed at improving. It really is a shame when you look at what GDPR could have accomplished if not for malicious compliance by American tech giants, and shitty enforcement (instigated by American tech giants)
It doesn't even need to be government-run, we just need the right incentives. I've seen proposals for making some kind of data loss insurance mandatory to compensate victims. The insurance companies would then conduct audits which determine the premiums for the company, and investigate for negligence after a breach.
Edit: Thinking more about it, this would probably also be positive for security investigators. If a company is stonewalling you and ignoring a legitimate bug report, you now have the option to escalate this to the insurer. Maybe they could even facilitate bug bounty programs for smaller companies
I've had a similar thought in the past. I was thinking about the feasibility of a law being introduced where each company making over a certain amount of money per year must begin a VDP (and optionally a BBP) so that security flaws can be reported to them easily. This can easily be done by simply opening up security@companydomain and using security.txt (https://securitytxt.org). Reports must receive a response in N days, where N is calculated based on available staff, resource allocation, and revenue of the company. If they don't receive a response after N days, this can be escalated to some government agency which can take action against the company for failing to respond to a report on time.
If something like this had been implemented 20 years ago, we'd probably be exactly where we are now. What's the point?