When someone does KYC, they are forced to hand over parts of their personal identity to third parties (such as an exchange, ICO, etc.). After that point, they are no longer in control of the process and are fully exposed to third parties to safely handle their confidential data. If something gets hacked, the affected people cannot do anything.