While I think there does need to be more standards an regulation for security of embedded devices°, it will always be problematic.
Software is unlike most products that have come before in human history. I'd almost say that software is a bit like an ideology, which can be modified by third parties to achieve a certain goal.
I'm really afraid attempts at regulation will end up turning into a witch hunt, a bit like find the communist in the American 40s and 50s.
° before people start complaining that standards and regulations are put up to collect fees and restrict access; I know, and I agree. However, I think we as software developers need to accept that even if we are perfect, not everyone else is (and certainly most companies aren't), and the business needs penalties for cutting corners and shipping insecure shit.
