Laws must be passed to:
* Force the US government to report vulnerabilities to vendors
* Create a regulatory body to monitor the use of vulnerabilities in clandestine operations and ensure that mandatory reporting is upheld
I cannot see anything less working.
Get that through US and EU governments, and you'll likely have the vast majority of vulnerabilities being reported and patched.
Of course this is akin to asking the US and Russia to convert their nuclear stockpile into reactor fuel.