So, in terms of self-enforcement, I have pretty much every poorly built PHP webapp from 1996-2014 as evidence that this won't happen. People are bad at security, including big people with lots to lose (see... I don't know, any high profile breech ever) so regulating this is quite necessary. Sometimes it'll even empower developers to push back on deadlines with the comment that cutting security corners will violate laws.