In my mind there should probably be fines for this sort of thing that are evaluated against if the company was needlessly reckless, similar to what is going on with Boeing right now. Even with pentesting and code reviews and strict testing things like this may still happen. What we need is to subject it to the same legal precedents makers of physical products are. If the company was found negligent in it's build it should be fined accordingly.
The more interesting conversation around this is how this works internationally. The problem is, on the world stage, with laws being different in every country, you really cannot subject an outside entity to your laws effectively without being able to shut them down. Countries would have to have control of the internet to be able to shut down a non-compliant foreign entity. For instance Mark Zuckerberg can turn up his nose at GDPR and not show up to court proceedings since he is safe inside the US.
I don't believe I'd want to create a world where violating a law like GDPR outside of my home state could mean extradition and trial anywhere else. This creates a situation where any country could put anyone on trial for any violation. While many consider GDPR a good thing, you can easily imagine this growing into a black mirror like scenario where countries with archaic laws start trying to try people in their own countries for laws that would never exist in another (my thoughts go to social media and violations of modesty laws).
In general we've never quite had a tool this vast and this open before. With physical products, you can just halt shipment into the country at customs, there isn't such a concept when it comes to the internet. This could lead to more diversity of tools though. For instance I might choose to use a video technology from a European based company knowing they are subject to stricter laws and scrutiny. In this sense GDPR becomes a great comparative advantage. Right now I don't see enough research into the tools that we use in general, just which one performs better, or which one is cheaper--maybe things like this open the conversation up to "would this company be held accountable if something horrific happened legally?"
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.