Infosec Architect here, aside from lost business, civil cases and regulator penalties finding the root cause, searching for other potential problems, sanitizing everything etc can often take literally thousands of person days. Normally you don’t have that kinda staff on hand so you end up paying big bucks to a consultancy that has you over a barrel and knows it.