> I said it elsewhere in the thread, but the current model is already falling apart: it has led to random IoT devices becoming parts of widespread botnets, affecting Internet functioning, and putting unwitting consumers at risk.
But isn't this also exactly how the pitch will sound for what I proposed? You know, "The internet is too important and random people are allowed to upload and run random dangerous code within it with no oversight, this has to be stopped." The manufacturers will never bear the consequences of their choices, the consumers will. There might be a push to make the internet watertight by requiring all major websites and services to only allow access to "secure" devices and block all other traffic. After all, why spend money on cybersecurity when everyone can only use the (important parts of the) internet with their real names, and developers are de-anonymized?
Will this actually improve security? It seems very unlikely. But despite it, this move seems like exactly the kind of thing that's coming, because it massively benefits both companies and governments.
You are right, which is why I stress the time component and e-waste concerns. If combined they end up meaning that a vendor ships you a device and they need to take it back for recycling in 2-7 years when they stop providing security updates, market will force a change.
At the moment, laws are disjoint even in EU, and not strict about what happens when you stop fixing security bugs.