I am not an US citizen, so I cannot have a say here, but I have another idea.
What's the problem if an IoT device is vulnerable? In the worst case the user will have to buy a new one (or pay someone for fixing it). Is it a serious problem? I think, no. Eventually users will understand which manufacturers are reliable and which are not.
You probably want to argue, that infected devices can be used in DDoS attacks. But in this case, why don't you take measures against DDoS attacks directly and leave IoT devices alone?
Why, despite Internet existing for 50 years, there is no protocol, using which any host can demand all upstream providers to block traffic from specific IP addresses? This would make low-level (transport-level and below) DDoS attacks impossible.
Make such standard and make it required for all top-level ISPs. In this case the malicious traffic can be stopped at source network or at least at Tier-1 level. Middlemen like Cloudflare would become unnecessary, and you would be able to withstand a multigigabit DDoS attack even having just $5 VPS.
What's the problem if an IoT device is vulnerable? In the worst case the user will have to buy a new one (or pay someone for fixing it). Is it a serious problem? I think, no. Eventually users will understand which manufacturers are reliable and which are not.
You probably want to argue, that infected devices can be used in DDoS attacks. But in this case, why don't you take measures against DDoS attacks directly and leave IoT devices alone?
Why, despite Internet existing for 50 years, there is no protocol, using which any host can demand all upstream providers to block traffic from specific IP addresses? This would make low-level (transport-level and below) DDoS attacks impossible.
Make such standard and make it required for all top-level ISPs. In this case the malicious traffic can be stopped at source network or at least at Tier-1 level. Middlemen like Cloudflare would become unnecessary, and you would be able to withstand a multigigabit DDoS attack even having just $5 VPS.