In one of the early days of the I am the Cavalry movement, I heard this useful phrase from someone who has done a great deal of work in healthcare:
"If you can't afford to protect it, you can't afford to deploy it."
Unfortunately, many services treat basic privacy & security features as an add-on, rather than table-stakes for operating.
One frequent model is for services to market themselves at the user level, grow a userbase, and then charge organizations to manage access and security. (Yammer and Slack grew this way, for example, as have many others.)
I recently came across this resource that is specifically fighting the SSO (single-sign-on) security tax.
They explain why SSO should be a default in many services, or at least a reasonable upcharge. There's also a table of data showing the delta between normal price and SSO-included price. Take a look!
Now, I'm not saying all services require SSO. I'm not saying all services need advanced security & privacy features. But each SaaS provider should look at the incentives they are creating, consider the needs of their users, and act accordingly.