A better option is to create a government testing and patching standard, fips-1024 let's say, and only buy devices that comply. The private industry usually follows and innovates around said standards, whereas the forceful regulatory approach seems to fail quite often.

Well, if only we realized sooner, the best way to make the IoT secure is to get Congress involved.

Great, this has been a long time coming.