There's a difference between being held accountable for the possible effect of every unknown flaw, and expecting companies to take reasonable measures once the flaws are known. "Ha! You had no idea this was an issue and now you'll pay" is very different from "You've been sitting on this known vulnerability for how long? And you never made any sort of fix available to your customers, despite the fact that you knew exploits were in the wild; and all the while it's caused untold amounts of harm to banking an other systems because of your negligence."
It's just a slippery slope. Let's say that the device is a decade old, are we going to force the manufacturer, who isn't making money on it and hasn't for 5-8 years, to spend tens of thousands of dollars, minimum, making, testing, and releasing a security fix? For a consumer device? Do we draw the line with some devices, or are we going to enforce this for every internet connected fridge, toaster, and other internet connected device?
Do we limit it to companies of a certain size?
Do we limit it only if there are at least 100,000 such devices in active use? How do we measure that? If we can't measure it, then are we forcing companies to submit patches when there may only be a thousand devices in use, but we don't know or can't tell?
Even if we agree that we should have a law (and at this point I'm not convinced that the damage is sufficient to require government regulation/oversight), the complexity is staggering to me.
And that's before we get into vendor complications. Let's say a car manufacturer puts a module in a vehicle, the vehicle is 5 years old, the vendor of the module evaporated just after delivery of the module (don't get me started on the shell games people play in the auto industry), there's still thousands of them on the road.
The manufacturer isn't going to fix it. They're going to do the same thing that happened to the prius* and simply disable the module and all associated features. (*I can't find it, but a few years ago an exploit was found in a recent model but out of warranty prius model with their connected vehicle module, and they simply disabled it. I don't recall the follow up, whether they offered to replace it, made a fix, or if it remains disabled to this day)
I'm not convinced that there's a good legal reason for the government to regulate/legislate this in the first place, though, particularly for consumer devices. Worst case your ID was stolen, but that can (and does) happen outside of device hacks and the banks and other parts of industry have established procedures to deal with it. Beyond that, it's a consumer device, not a safety and security issue. These aren't life support or safety devices, and the industries where they are (transportation, medicine, military) are separately regulated such that the code issues do have to be taken care of somehow, usually through recalls. The toyota unintended acceleration issue was dealt with through normal existing channels and regulation.
Adding additional regulation for consumer devices sounds good in a feel good way, but presents a terrible burden for industry, forcing them to pretend their consumer devices are somehow safety critical, and thus spending untold amounts of money developing to standards that are unrealistic and unnecessary.