If they wanted to promote competence then the damages would be applied to the corporation for implementing the vulnerability, not on the attacker for exposing it. This way, corporations are given a shield for being incompetent and can place the blame and damages upon an individual that brings them to light.

Oh, if you want to actually raise competence, sure. But they meant projecting the image of competence.

“Promoting the competence of” does not require actual competence. Exposing incompetence undermines that promotion.

The government is a lot more concerned with the image, and its effect on trade, over the substance.