I don't think the CEO has direct knowledge of the companies security and the only method of control is to hire who they think is the best CTO. Then the same for the CTO and whomever he hires, etc. The general attitude I've seen is that you hire someone below you and put nearly 100% trust in them, they are in control. Anything else is considered just inappropriate, like micromanagement for example.

"Nobody wants to be the CEO at the helm when a successful company was ruined"

Are successful people really concerned about pride? I always thought it was money and I'm not being sarcastic. I tried to find some data to back this up but couldn't. However as an anecdotal example Henry Ford II was the CEO/chairman/president from 1945 to 1980. This includes the period where the Ford Pinto (70-80) existed and received huge amounts of negative press. It's also when imports were started to take a major toll on American car manufactures (late 70s) The only reason he retired was the mandatory retirement age at Ford.

To fix this I think we need to ignore punishments for now and focus on prevention. A government agency, funded by fees, should do yearly audits on companies that have more than X users or some other variable to confirm compliance.

And yes, Boeing has this but they were too chummy with the regulators and this and that. Even though it's not perfect it's a first step. We can fix the problems similar to what came about in the aerospace industry later.