I think that the negative externalities of poorly secured IoT devices scale linearly with the number attached to the internet whereas the cost of writing more secure software and keeping it updated scales much much more slowly with the number of installs. I think this means that the best solution is to have tiered levels of certification and regulatory burden based on the number of times a piece of software is installed. Ideally tiering would be done on the total bandwidth of all devices with a piece of software installed but this would be much more difficult to measure and enforce then counting installs.

If no product with less then X thousand installs has to deal with the regulatory overhead of certification then experiments and early stage companies are less likely to be squashed. I would also exempt open source software from having forced audits or minimum standards for security. This would have the side effect of encouraging more companies to publish their firmware open source which would also not be a bad outcome.

To prevent companies manufacturing lots of almost identical product lines each individually under the limit for audits I think it would also be necessary to count all products that share more then half their code as one product.

Sent, I would love to see Randall Munroe's take on it.

I also thought that you were being serious. There is a good reason people use explicit markers for sarcasm like: <sarcasm> </sarcasm>

I encourage you to look up Poe's law

You are probably referring to: http://arxiv.org/

Hanlon's razor: "never attribute to malice that which is adequately explained by stupidity"

Clark's Law: Any sufficiently advanced incompetence is indistinguishable from malice.