Much of this brouhaha is about the niche of online businesses, which is the thing that's most visible here on HN, but which really wasn't the primary focus of GDPR which applies to all the businesses in society, the vast majority of which aren't global websites.

If I look at the changes implemented by local telecommunications companies, local banks, local supermarket loyalty programs, local pizza delivery chains, local real estate brokers, etc - these types of businesses had all kinds of widespread shenanigans before GDPR, but now they overwhelmingly have acted in good faith, and have given users clear and convenient ways of opting out (because, really, they didn't have a choice). Like, we don't see EU phone carriers selling location data to advertisers the way they do in USA - now that is a significant thing compared to some blog putting on a cookie.

For most companies, the transition has happened reasonably well - it's just that a few (but large and highly visible) global companies are holding out because of political reasons preventing enforcement - mostly stemming the fact that Ireland's DPA is currently permitted to unilaterally shield them from the rest of EU and has motivation to do it because it's financially beneficial for Ireland to have Facebook/Google/etc have their EU domicile be in Ireland.

> it's something that should have been expected by EU legislators

It has been - the regulation explicitly outlaws such malicious pseudo-compliance. The problem is that GDPR enforcement has been severely lacking, so malicious actors are allowed to run free.