You're absolutely right! GDPR is wonderful for users as a ringing and clear statement of human rights.
Unfortunately, it also needs to be for companies because it affects companies just as much as users. I would go so far as to say GDPR rests almost entirely on companies to turn this stirring declaration of human rights into rights said humans can actually make use of. In this regard, it's a collection of opportunities for improvement of awe-inspiring proportions.
You're right. Technologies and threat landscapes change. Regulation needs to acknowledge this or be worse than useless. Yet, perhaps there are ways to deal with this that don't rest largely on handwaving away critical questions of what compliance actually might look like with weasel-words like "reasonable".
Does that seem possible?