Are there any potential legal ramifications of not applying security patches?

If a company were to lax behind in security patching (knowingly), would there be any potential legal ramifications?

Obviously if private customer data is stolen as a result of a breach using security vulnerabilities, those customers could sue. Are there other potential legal ramifications, like the CEO or CTO facing criminal charges? Other financial consequences?