Consumers always lie in surveys and claim that if a company loses their credit card or other personal info, they’ll go someplace else. In reality, they almost never do.
Why? The pain of switching to a different vendor/store/service/whatever is almost always greater than that of the fraud, even when there is fraud. When it comes to credit cards the only pain is that of reversing a charge. Real ID theft is a lot rarer. We also tend to assume someone tightens the ship after a big breach, making them more secure. We’re nice people, and tend to give someone a pass on the first mistake.
If TJX customers started suffering fraud on a regular basis due to negligence on the part of TJX, I bet sales would drop.
Your security only needs to be good enough to avoid giving your customers more pain than that of buying from someone else.