The GDPR (in art 32) only requires that "the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk". I expect it's quite common for a company to get hacked even if they meet that level. I think the parent comment was imagining that any leak is automatically fined, regardless of whether the company had met some security requirement.