There are certain things that are, collectively, patently negligent: storing passwords in plain text, not salting passwords, not using, at a minimum, software firewalls, etc. Those are fairly boolean. It's also fair to assume that any company that is hit with a 0-day is not negligent; even the best prepared companies are susceptible to them. So there is some decent guidelines to rely upon to demonstrate negligence or not on the extremes. Of course, in the middle it does, admittedly a bit gray. But the teeth that come into play would look exactly like GDPR.

Yes, I agree completely, that C-levels will see that the CISO is a replaceable widget that is nothing more than a scapegoat.