Security regulations and frameworks are good and necessary, but they can be inflexible and draw focus away from the most significant security risks.
That concept continues as you scale past a single company. You can secure a single organization with written policies and procedures, but it takes industry or government regulations and frameworks to secure everyone. Good, long-term security for the entire macrocosm will not happen without regulations and frameworks that companies are forced to follow. Voluntary participation does not work for computer security.