Persistent indifference to negative externalities and their consequences cannot be shocking? Maybe one becomes inoculated in respect of isolated incidents. But collected together, the statistics still have a shock value - for me, at any rate.
I agree with your main point, though. Corporations have mostly avoided paying the price for the risks/harms they impose, and this means their indifference is indirectly incentivised. They make more money by avoiding the costs associated with upgraded security, while they don't bear (or feel they are unlikely to bear) or can insure the costs to themselves of a major security breach.
The main harm, of course, is borne by consumers. And they themselves have little recourse in these circumstances.
Governments often intervene when a market passes on its costs to innocent third parties. Hence the recent developments in Congress and within the Obama administration under the Homeland Security banner, the increasing patchwork of state legislation regarding corporate data security, along with RT's involvement with the ABA, are all interesting to me.
Developments in the UK and Europe seem to be headed the same way.
There's an increasing force for change which is locking horns with the indifference you've identified.