[rlpb]

They don't need to. For example in the UK, goods sold need to be of "satisfactory quality" at the time of sale, and if in breach then the seller has to make it good for up to six years after sale, depending on the expected market lifetime of the product.

Something like that is all that's required in primary legislation.

What is missing is a finding that a sufficiently severe security vulnerability present at time of sale falls short of the expected standard. The general concept could be enforced by a court ruling setting precedent or by still quite generic legislation.

Finally it would be up to the courts to decide on a case-by-case basis what constitutes "sufficiently severe" in specific cases. That's no different to how everything else in law works.