Not having a for-profit rationale would cut down on most, if not all, attempts to sell personal information, because funding could come in different ways (donations, for instance).

Some non-profits have a terrible track record with information security, but that's mostly because their major focus is not IT.