You don’t think the vendors who are years behind on dependency updates are skimping? Not the ones who are still struggling to ship patches on a better than quarterly cadence? Not the ones who still ship 90s-style C code to enterprise customers who are paying high prices for their security products? Not the ones still writing new code in memory unsafe languages? Not the ones who still tell customers to disable SELinux? Not the ones who still refuse to use the sandboxing features in modern operating systems?
Companies love the idea that you can’t hold the liable for any defect they didn’t intentionally build in, but software is the extreme outlier where they were able to avoid consumer safety regulations and thus the expense of hiring people who can even tell when something is risky. Shift the cost back to the supplier would restore the market feedback mechanism which is currently missing, greatly improving the health of the industry.
Companies love the idea that you can’t hold the liable for any defect they didn’t intentionally build in, but software is the extreme outlier where they were able to avoid consumer safety regulations and thus the expense of hiring people who can even tell when something is risky. Shift the cost back to the supplier would restore the market feedback mechanism which is currently missing, greatly improving the health of the industry.