In much of the world we already have mandatory reporting if a breach results in disclosure of private information. I think the more focused question is if other scenarios are "important" enough to justify additional laws. In the Solar Winds disclosure, (which inspired the article), I saw two "important" bits -- a captivating story with politics, intrigue, and drama; and also an urgency to mitigate. Of these, I feel "mitigation" probably ought to be legally mandated, but "outing the story" is probably better left to other venues (e.g. the news media).
Thinking about how to leverage our legal systems, I would probably extend product recall laws to include PII. And just like the physical-world, neither "agreements" nor "product lifecycle" should shield applicability. The prototypical example being Takata, whose airbags were spraying shrapnel. Even my 12 year old car got a "no-cost-to-me" replacement. Same should apply to a software defect that poses a significant risk to life, safety or PII.