privacy – Company Security Policy Ranking Metrics

I am attempting to construct a ranking of US publically-traded companies according to how much they would put their customers at risk when a data breach happens.
My question to infosec practioners with experience of real breaches is, what is a good set of metrics to gather? What makes a breach “better” versus “worse”?

Fast public reporting?
Having 2FA options in place?
Nothing in plaintext?
Server logs turned on (…cough…Ubiquiti…)?

Some of my assumptions to date (please correct me if I am wrong here):

  • There is no way to numerically quantify the risk that a breach will
    occur prior to it happening

  • There is no way to numerically quantify how “bad” a given breach is

  • Qualitative expert judgement is therefore the only way to select

  • Even items which are weakly correlated with customer harm could help
    (by averaging + assuming monotonically increasing “harm” on every variable)

  • Numeric variables (e.g. how long between breach and reporting) and booleans (e.g. does the company have a process for x) are both useful