[Joeri]

Security can never be perfect, but it can be sufficient. Simple sufficient regulation could be having a clearly documented address and process for security issues to get reported and an obligation to provide fixes for remote vulnerabilities in a reasonable time frame after becoming aware of them within the warranty period (they are design flaws, so warranty should cover them). In other words, legally mandate everyone should do what conscientious vendors already do.

[yk]

Your suggestion is not sufficient, you need also a way to roll out the updates, which means a network connection to the outside world, but for someone who has done a IoT set up himself it is probably a sane thing to put the IoT things onto their own network, without internet connectivity. So yes, it is likely possible that there could be sane regulation, but I lack thrust that regulation will be sane, and even more, I suspect that regulation will interfere with my use case, so that I have to jailbreak my light bulbs.

[JoBrad]

Your light bulbs already have to adhere to regulation, and it's largely not been a hindrance at all. In fact, most of it has been helpful.