I actually think it's entirely the other way round.
A small business or a startup should have a relatively limited amount of data capture, and that data should be stored in a relatively limited number of places. In most cases, it should be straightforward to make sure that this is documented and appropriate controls are in place.
On the other hand, large companies have vast quantities of uncontrolled data gathering that nobody is responsible for.
Spot on. The biggest problem cases are hospitals, banks, insurance companies, airlines and - funny enough - governments. They all hold mountains of data and the systems are old and in many cases no longer maintained by anybody that was there when the system was first created.
A small business or a startup should have a relatively limited amount of data capture, and that data should be stored in a relatively limited number of places. In most cases, it should be straightforward to make sure that this is documented and appropriate controls are in place.
On the other hand, large companies have vast quantities of uncontrolled data gathering that nobody is responsible for.