[tptacek]

Yeah, you're confused because I mis-wrote that. Wow, that was indeed a confusing sentence. I meant regs will hurt innovation, not security.

The problem is that I think the security gains will also be marginal, and the innovation harm will be significant.

In particular, the history of security standards, which you bring up as an example of "good regulation", is checkered.

I agree with you that mandatory insurance could be a "middle way" between intrusive regulation and no regulation. But that's essentially the structure the payments industry uses with PCI, and PCI has been a race-to-the-bottom.