Comment by protocolture

>this must mean the consequences of such a breach has either not produced any visible damage

Yeah lets say you were carrying unencrypted frames for Bills Burger Hut.

The largest extent of the damage might be sniffing some smtp credentials or something. Bill sends some spam messages, never figures out how it was done but their IP reputation is always in the toilet.

Lets then say instead of Bills Burger Hut, you are carrying traffic for critical mineral and food industries. The attacker isnt a scammer, but a hostile nation state. Customer never realises, but theres a large, long term financial cost because (TOTALLY NOT CHINA) is sharing this data with competitors of yours overseas, or preparing to drop your pants in a huge way for foreign policy reasons.

No one gets fired until after the worst case long term damage, and even then probably not.

In fact, the likely outcome is that the burden gets moved to the customer for L2 encryption and the cowboy never changes.