> When you are building software, you build a security process, not security individuals or stuff like this happens.

You can't solve an incentive problem with process because then they lack the incentive to follow the process.

To enforce a law you need to be able to identify a violation at a point in time when you can still impose a penalty for it. When a device is first released, you don't yet know if anyone will find a vulnerability in it or if the company will stay around to update it if they do. By the time you find out if it will happen, you can't punish them for the same reason they can't provide updates: they've ceased operations and no longer exist. So that doesn't work.

> With software writers the losses occur to the end user.

Which is why the end user needs to be empowered to efficiently prevent the losses, since they're the one with the strongest incentive to do it.