[DashRattlesnake]

I don't think that's necessarily a bad thing. If a company doesn't have the resources to create secure products, then maybe it shouldn't be in that business in the first place.

[Jtsummers]

The problem is not whether they can create a secure product, but whether they can afford to certify their products as secure.

From my experience in the aviation software world, we spend a great deal more on demonstrating reliability than in producing it. This forces a huge amount of overhead on our projects. This isn't a bad thing, mind you, but it is a thing to consider.

It is hard for a couple engineers to start a new company making these sorts of systems. The only practical way is to have a truly good and demonstrably better solution, or be inside a large corporation with already deep pockets.

[munificent]

> From my experience in the aviation software world, we spend a great deal more on demonstrating reliability than in producing it.

The same is true in organic produce. I hear of a lot of farms that follow all the rules to raise organic goods but can't label them "certified USDA organic" because the certification process is too expensive.

[DashRattlesnake]

This is what I was responding to in the original comment:

> forced firmware updating is an area our governments should not be mandating

I think that if a company can't maintain a team to deliver regular security updates to their internet-connected products, then they shouldn't be producing internet-connected products in the first place.

I agree with you that government-mandated aviation-software levels of product certification would be destructive overkill.