The GDPR indeed has provisions to fine companies for "avoidable" data leaks due to lacking security practices. The regulators will not pay you a bounty for reporting companies, and there is a big difference between a normal "bug" and "bad practices".
E.g. one of the first GDPR fines here in Germany was issued against a company that had their customer DB dumped[0], specifically for still storing some user passwords in plaintext.
