What you're suggesting requires creating a massive federal bureaucracy to continuously survey the product landscape. It then requires the private sector to duplicate that work. This is stupid.
The government has vulnerabilitys in stock that they already verify function as intended. They already regularly verify these vulnerabilitys continue to function with each update cycle. They already quantify these vulnerabilitys by ease-of-discovery, impact, etc. so they can prioritize utilization. They already determine vulnerabilitys to disclose.
Assuming that the vulnerabilitys they disclose are not entirely "actively under exploit", the only difference in my proposed policy is that they do not disclose the details to the vendors so they can paper over them. Instead, they publicly announce the presence of vulnerabilitys and then keep verifying as they already do until the vulnerabilitys no longer function.
You seem to think I am arguing that the government should create a new organization to look for vulnerabilitys in all software everywhere and then act as I stated.
Then you are arguing with a strawman. I never proposed they do it across all products, only the products that they already have vulnerabilitys in that they already seek to disclose.
You can not change the parameters of my proposal to explicitly require a gigantic bureaucracy then argue that it is a poor idea because the gigantic bureaucracy you added is a problem. You could have argued that my proposal is untenable because it would be "unfair" and the only way to make it fair would be to do it comprehensively which would be too hard.
To which I would state:
1) That means we as a society care more about being "fair" to companies with inadequate software security than demanding adequate software security. Could be the case, but then everything other than roll over and accept it is off-the-table.
2) The government already requires certification against the Common Criteria for many software products in use by the government. You could restrict this policy to just systems that are used and require certification before use. Thus being applied "fairly" to government procurement and incentivizing improvements in security for procured systems.
3) This should actually just be general policy for everybody, but only the government, currently, has enough leverage to really pull off publicly announcing a problem and the vendor not being able to just shove it under the rug.
And, even if you disagree with those points, I am also making the point that the current policy of disclosing the vulnerability so the vendor can make a point-patch to resolve it instead of fixing their overall security process is a failed security policy at the societal level. We need mechanisms to encourage overall security process improvement. Currently, the only thing that does that is the exponentially increasing amount and severity of hacks, and it would be nice to get ahead of it instead of being purely reactionary.
1) Government already has vulnerabilitys.
2) Government identifies vulnerabilitys they already own by "difficulty to discovery".
3) Government selects the lowest "difficulty to discover" vulnerabilitys they already own.
4) Government announces products with known "lowest difficulty to discover" vulnerabilitys are vulnerable, but does not disclose them.
5) Government keeps announcing those products continue to be the most "insecure" until all vulnerabilitys they already own at that level are fixed.
6) Repeat.