With many cyber attacks going long un-noticed (of which many could be considered avoidable were it for significantly better 'cyber hygiene' - particularly in the areas of patch management and employee security awareness training), fining miscreants might be an option.
It is a well documented truism that if you get something for free you value it far less than if you actually pay for it, which was a principal employed by acquiring banks in the early days of PCI DSS.
In my experience, some valiantly offered free-to-use self-validation services which garnered negligible take up. Offering a very similar mandatory service, with a small fee applied to it, saw take up sky-rocket pretty much over night. Now, it's fair to say that this take up was stimulated by an associated on-going admin fee that was levied until merchants actually went through the validation process. A sort of "carrot and stick" approach, however one that served to get the audience to sit up and take notice. And to this day PCI DSS is the most widely adhered to common cyber security standard anywhere in the world.
I maintain that those affecting GDPR can learn a lot from PCI DSS, however actually fining business for failing to adhere to basic cyber security standards would be almost impossible. Firstly, there is no universal standard and secondly it would be impossible to police. Indeed the whole idea of the punitive fine structure that comes with GDPR is that this should be motivation enough to start taking the basics seriously.
In my opinion, the real answer lies with cyber insurance, which if underwritten effectively will demand that a policy is only valid where the fundamentals are adhered to. Any failure to apply patches and adequately train employees would be assessed by loss adjusters and claims dealt with accordingly.
Ultimately I believe that businesses will have to prove that they are adequately cyber insured in order to trade. This might take time - just like public services we enjoy today, which will have evolved in line with the prevailing risks, established suitable base line standards and looked to insurance to cover any residual risk that inevitably remains.
So should companies be worried about fines at some point being introduced for not being breached per se, but for failing to take even the basic security measures needed to protect themselves?