I'm certainly not surprised that you would go to a small business with, say, a dozen employees, and find there was perhaps not awareness that someone in each had to be designated as a privacy officer and had to undertake certain functions to be compliant.
What I really want to know and what I didn't get was whether even by anecdote, since you mentioned this process didn't have a final report, you saw evidence of harm done to the customers of these small businesses. Did you see evidence of breaches of consumers' privacy?