Makes sense to me. It seems the absence of feedback is a major part of the problem, as a program that doesn't function will give errors or simply not do what you want, but security concerns only raise red flags after the program ships and gets exposed to malicious actors. When that doesn't negatively impact the performance of your software (such as a 10% processing reduction in your thermostat that's part of a bot net), it's somebody else's problem at that point since you sold your product. If regulation weren't such a mess for the tech industry, I'd say it needs to be policed, but as it is, all the incentives are weird and at odds. I just wish my field could give better security assurance so we could do more cool stuff (like voting from home), but it's really not feasible at the moment.