This. I'd go as far as to say that the law mostly tries to conserve liability, in the "energy conservation" sense. Once harm is defined and quantified, the consequences have to be discharged somewhere, and there's tons of rules that try to sensibly distribute them among parties involved, while counteracting everyones' attempts at diffusing liability or redirecting it somewhere else.
On that note, after some time working in cybersec and GRC fields, I realized that cybersecurity is best understood in terms of liability management. This is what all the security framework certification and auditing is about, and this is a big reason security today is more about buying services from the right vendors and less about the hard tech stuff. Preventing a hack is hard. Making it so you aren't liable for the consequences is easier - and it looks like a network of companies interlinked with contracts that shift liability around. It's a kind of distributed meta-insurance (that also involves actual insurance, too).
My eyes were opened to this when management wasn't just talking about deleting unneeded private data just as the right thing to do, but specifically how it could reduce our insurance premiums.
In business, everything that can be ultimately always gets reduced to money. And in vast majority of cases, for ongoing business operations and events that don't directly hurt or kill people, it actually turns out fine.
The core insight that made me start to understand how companies see the world, was reading about ocean freight shipping. Specifically, what happens when there's a bad weather, or dangerous malfunction, or other such unexpected event, that throws some containers off the ship or forces the sailors to intentionally dump them, resulting in millions of dollars worth of cargo afloat in the middle the ocean.
What happens is, a whole lot of nothing. No one will actually bother to try and recover it. The cargo operators, ship owners, and owners of the actual cargo, will all file claims with their respective maritime insurance providers, and call it a day.
The same principle applies everywhere, including in cybersecurity. Past some point, trying to reduce the risk or shift the liability to somewhere else becomes more expensive than just insuring against the expected loss.
