There are plenty of laws and legal instruments / concepts (controlling stake, anti-avoidance laws, etc) that stop large companies from doing this.

And that is just as "possible" under the current structure of GDPR.

Not really. For example, if Facebook Inc. establishes a "Totally not FB LLC" for the purpose of skirting GDPR, Facebook Inc. is still the data controller according to the law, as it is directing the data collection and purpose, even if "Totally not FB LLC" does all of the handling as a data processor. Except now the fine is levied on the total turnover of both companies, not just one.

Right, I meant it's just as "possible" in the sense of it not really being practically possible.