Paying ransoms should be a criminal offense. Even if the victim company would end up bankrupt that would be an acceptable outcome to keep money out of the hands to criminals.
What you're suggesting ultimately results in the government forcing private companies to harm their own customers and their own brand image. I get where you're coming from (a plant that gets no water stops growing, after all), but this law would quickly become unbelievably unpopular among victims of identity theft. Companies would likely spend more lobbying to overturn this than they do on the ransomware payments themselves, because the reputational harm they'd suffer would cost orders of magnitude more than the ransomware and lobbying anyway.
That literally does not matter. There is no amount of money that you can pay today to get a system that can protect against a $15M attack. Literal billion dollar budgets can maybe get you to $1M if management is onboard and following all recommendations. It is not a question of money, it is a question of ability.
Cybersecurity spending is a black hole sucking in immense amounts of money while achieving no useful defense against typical threat actors such as organized crime who routinely target these companies. The current large vendors are all peddling snake oil and there is no value to purchasing it to cure what ails you.
The only correct assessment at this time is assuming you are 100% guaranteed to be hacked by organized crime if you are internet connected. You can then work from there to determine how your operations should be structured. Alternatively, you could demand your vendors take on liability for their security guarantees. They will not, but it will help you smoke out the snakes.
