The answer to the question about who is behind with EU General Data Protection Regulation (GDPR) readiness is in short:
- A lot of companies
- A lot of governments
When following the vibe around getting prepared for GDPR, and from my own involvement at clients, there is no doubt about that time is short and that not every company (well, probably only a few companies) within the European Union will be 100 % ready on 25th May 2018 and this also counts for those outside EU who is targeting EU citizens or processing personal data from the EU.
However, most EU governments are not any better. According to a recent communication from the EU only two Member States (Germany and Austria) have adopted the necessary national legislation. And from own experience I can tell that the late incoming of the national legislation does not help in getting the details ready for 25th May.
Some areas where national legislation is important were discussed in the post Where GDPR Still Becomes National. In my eyes, the remaining governments do not set an example for companies who are struggling with this (else justified) extra work.
Liliendahl on Data Quality 
Here is an overview of all the opening clauses that give Member States room for maouevre and that are step by step used by them now:
Thanks a lot for sharing Winfried
A lot has been made of the fines for commercial organizations. Are there penalties for non compliant government organizations?
At least in Germany the decision has been made against fines for authorities. DPAs are (albeit independent) state authorities. If they would fine governmental organisations that would mean fines by state authorities against state authorities. So tax money would go from one pocket of the state to another pocket.