This is one of the biggest issues I have with the self-assessment approach to compliance. Every one of those small and many medium size businesses will have attested to their compliance, and it's not until something goes wrong that anything is done about it.
If the UK wants to be "Cyber Secure" it needs to do more than ask businesses if they are compliant. Not many businesses are going to say "no, we're not"
I've been told that 67% of UK businesses aren't GDPR complaint. I'm willing to bet that figure isn't an accurate reflection of how businesses represent themselves to the public or the ICO.
It's the same with PCI-DSS. If I can self assess myself, just it not matter to the banks that I'm getting it horribly wrong?