Exactly. By making the insurance company responsible for both the security and the payout, this would turn into a direct war between the insurance companies and the attackers. The incentives would now be on the insurance company to take the measures necessary to protect against the ransomware in the first place.

Now, if society feels that too many ransoms are being paid (due to externalities, such as loss of confidential information, service quality, etc) , this might also make it easier to implement additional countermeasures. In particular, I think it would make sense to demand a fine or tax any time a company pays such a ransom.

Lets say, if the government would demand a tax equal to the size of each ransom paid, the insurance/security company would either have an increased incentive to protect against ransomware, or alternatively, the attackers would understand that the break-even size of the ransom, where it would be preferable for the target to not pay, would be not much higher than half as high.

And you end up with companies having wide security gaps because the Sec and Actuary teams won't agree about anything to actually get on with implementation...

Those insurance companies would then go out of business quickly, and be replaced by organizations that were able to handle this.

This is a benefit of having actual security be core business for such a company. While for many companies, security is a small part of their business, and not critical for their long term performance, a dedicated insurance/security company would HAVE to be good at both to stay competitive.