Compliance is preferred to punishment. I don't know if anyone tracks all the cases of a business getting a warning and adjusting to become compliant before getting fined.
The thing is, our culture is different. We don't go for the jugular immediately.
Our DPAs (and our other authorities like the EU Commission in general) prefer to first say peacefully "hey, we see you got a problem there. You haven't been on our radar before so we'll give you a chance to fix this on your own, and you won't hear from us again". Most companies will say "hey, thanks for the notice, we got our stuff fixed, kthxbai" and that's it.
Fines or, as with the GDPR itself, USB-C or the DMA, actual legislation only comes when you either have repeat / intentional offenders like Meta, or stubborn companies like Apple.
I don’t know if that list is exhaustive. Besides, it’s only fines. I think everywhere I’ve worked has had requests (“what information do you hold on me and what do you do with it?”) that haven’t resulted in any punitive action. I’m not completely sure what you meant by investigations but I’m just trying to point out that GDPR certainly isn’t toothless.
The Czech ÚOOÚ is very lax about this, or maybe understaffed.