Agreed. Cloudflare level of transparency should really be the minimum in cases of security breaches for all companies with any user/customer information. And when found to be purposefully hidden that information you should have your right to do business at least suspended in the US.

A policy as such would -

1. Incentives disclosure (or your essentially DOA in US)
2. Increase the IT budget and force more security over profit (because again the alternative is no profit otherwise - or at least many detailed explanations on how the company still isn’t doing anything)