I can share some thoughts.
The problem we've seen with small organizations is that it is always a trade-off of risks. There are checklists available, or policy documentation, around what to do as a small organization. Unfortunately, it is up to the organization to implement some of those best practices that have been established. We've seen organizations, especially smaller organizations, treat those more seriously, especially as they become, as you said, more data-intensive.
However, we have not been able to establish a checklist based on the vulnerability data that we've seen on a platform level yet, but we do expect that will happen in the next couple of years.