The point of this effort is to elicit change from these organizations. If having breaches "a few years ago" means never getting a star, why would a company care?