In one of the early days of the I am the Cavalry movement, I heard this useful phrase from someone who has done a great deal of work in healthcare:
 
"If you can't afford to protect it, you can't afford to deploy it."

Unfortunately, many services treat basic privacy & security features as an add-on, rather than table-stakes for operating.

One frequent model is for services to market themselves at the user level, grow a userbase, and then charge organizations to manage access and security. (Yammer and Slack grew this way, for example, as have many others.)

I recently came across this resource that is specifically fighting the SSO (single-sign-on) security tax.

They explain why SSO should be a default in many services, or at least a reasonable upcharge. There's also a table of data showing the delta between normal price and SSO-included price. Take a look!

Now, I'm not saying all services require SSO. I'm not saying all services need advanced security & privacy features. But each SaaS provider should look at the incentives they are creating, consider the needs of their users, and act accordingly.