A number of reasons but to put it simply:

* There are fines, depending on the size of the company, size of the breach and the country. For example British Airways had a huge data breach in 2018 and was fined $26 million. This is considerably less than the $238 million fine that the ICO originally said it intended to issue back in 2019.

* Consultants/experts are needed to investigate, find out how the data was breached, and fix any IT issues they find/increase security. This could easily be millions for a large company.
* Civil lawsuits.
* Loss of business. Businesses are less likely to work with you due to fear of bad PR, data protection and loss of customers using your service.
* Bad PR leads to a decline in your stock value (this could easily wipe millions from a company’s stock)