Poor information security is a crime when that information involves personal information. The Data Protection Act requires that personal information is kept secure. Just because no one has been prosecuted yet doesn't mean they couldn't or shouldn't be.
UK law basically says "assess the risk and take appropriate measures." Short of criminal negligence, it's extremely unlikely that anybody will be prosecuted.
The Talktalk data leak actually seems like criminal negligence. I don't know the British law, but that level of negligence at least should be criminal.
"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
TalkTalk did not take appropriate measures against unauthorised processing.
