I think you've missed a key aspect of the rail/air investigation authorities in the UK: If there is an incident you have to report it. The authority then undertake a no-blame investigation on what can be learned from the incident and make the report public.
We need more organisations being open about A) Being attacked, and B), how they were hacked.
Until we stop seeing being attacked as something to be swept under the carpet, we can't learn from them.
Over the past couple of years I've come across two attacks: One was handled by the organisation's cyber insures who said "Don't speak to a soul about this or we wash our hands of you" and the other the NCC were involved with who also said "Keep quiet".