Like, I'm in favor of personal liability for execs who willfully sacrifice everything and everyone else for their own increased profit as much as the next guy. But there are at least two major problems with your statement:

1) The kinds of infrastructural improvements needed to genuinely increase security are likely to take significant time and money to put in place—and the money, in many cases, will also mean more time. We're talking years in some cases, even if people are moving at the fastest pace they can while still being responsible.

2) Security is a genuinely hard problem. No matter how good your procedures, your hardware, and your software, humans still have to interact with the data, and humans will always be fallible. Social engineering, blackmail, revenge, and just plain carelessness will always put data at risk, even if the company as a whole is fully and wholeheartedly committed to security.

So are you going to put the heads of your local credit union in prison if someone in their IT department is disgruntled about not getting a promotion they think they're entitled to, and decides to stick it to the man by stealing the DB of social security numbers and selling it on the dark web? (Or whatever other scenario you can think of)