HIPAA is extraordinarily expensive, meanwhile healthcare providers continue to have abominable security because compliance is offloaded to a "compliance team" who comes around once in a while to check boxes without really understanding the system, which is managed by other people who don't really understand HIPAA. This is one of the reasons security in large organizations is hard. Bureaucracies gravitate toward bureaucratic solutions, but then the left hand doesn't know what the right hand is doing, which is a direct mechanism for security to get messed up.

SOX isn't really about "security", it's about auditing and so on, but it suffers from a disadvantageous trade off. Large companies are less likely to have accounting problems than smaller ones. The law was passed in response to major outliers like Enron, but basing rules on rare outliers generally results in bad rules. Meanwhile the smaller companies have disproportionately higher compliance costs, to the point that there have been proposals to exempt smaller companies. But that implies it probably isn't worth it for large companies because the rate of fraud is so low and it probably isn't worth it for small companies because the compliance costs are so high, and then there's nothing left.

Whereas NIST CSF is a different kind of thing because it's voluntary. This is where government publications can really do some good, because if they publish rubbish then nobody has to pay any attention to it and the cost is limited to the money they spent creating it, but if it's good then it's valuable to anyone who uses it. The government should definitely lean towards this method, but it's hard to call this one "regulations" -- and the criticism you're responding to was that corporations would end up "just gaming the regulations".