Nothing is this simple in technology ever - it is extremely difficult to declare blanket rules like this.

I do think it's reasonable to try and get third party software auditing to become more normalized, if a contractor is writing scheduling system to control class enrollment I'd appreciate another contractor looking it over... but even that has it's issues.

Of course, it was just a gross simplification. However SQLi that causes data theft as such could however be punished, GDPR kinda does that.