So far most of the rulings have followed the pattern predicted before the GDPR was enacted, and the fines have been rising steadily for repeat offenders.
FB is asking to be made into an example. And yes, you are right, an EU privacy regulator would be good to have but the EDPB is doing a reasonably good job of supervising the member states so far and as the law becomes more settled (and respected) I would expect differences between countries to be leveled. Time will tell.
When the GDPR was rolled out, the message was very clear: our goal is compliance, not maximum fines. So first someone has to complain. Then they investigate. If things are not OK, you first get a warning, and if you get your act together, all is good. If you don't, you get a fine, and the fines will escalate.
So it takes a bit, by design and intention. But it will get there, and 4% of global revenue is nothing to sneeze at...
FB is asking to be made into an example. And yes, you are right, an EU privacy regulator would be good to have but the EDPB is doing a reasonably good job of supervising the member states so far and as the law becomes more settled (and respected) I would expect differences between countries to be leveled. Time will tell.