Subscriptions are ongoing cash-flow. There's no reward to doing a good job, and there's only a perverse reward to not doing a good job--it keeps people subscribed.
Frankly I think the better option might actually be the reverse: a mandatory payout to every customer for every nontrivial security defect. Not sure how you'd adjudicate it, so it's pie-in-the-sky, but take it out of the realm of the class-action lawsuit and see how serious these manufacturers become about correctness.
Businesses fear only the big stick; it should be swung on the consumer's behalf.
Right. There are differences in incentives and how easy it is to make receiving updates mandatory or the default. But it's reasonable to assume that, however implemented and legislated, everyone ends up--from a financial perspective--having to pay for an ongoing support subscription.
Can you explain to me how a subscription, for which only subscribers get fixes, is not a perverse incentive to ship broken software?
Normal software has an argument towards subscriptions if it's adding features. But routers shouldn't be adding features. Routers should be fixing bugs.
Companies seem to be doing a pretty good job of shipping broken software today without the perverse incentive of a subscription.
Companies do buy subscriptions for older software even though they may only be getting security fixes at this point.
That said, I do think bundling longer-term updates into the cost is better insofar as it means buyers don't get a choice to just use the unpatched software. But it does mean that companies can cut costs by just not patching software at all or for a short period (as today).
Of course, it's a big stick for both vendors and users. Vendors need to patch the software for N years (or whatever) and, given a competitive market, users have to pay for it.
Maybe the manufacturers would figure out more efficient solutions given incentives that encouraged them to do so. For example, they might decide it’d be more efficient to use OpenWrt than to do separate security maintenance for N incompatible closed platforms.
Frankly I think the better option might actually be the reverse: a mandatory payout to every customer for every nontrivial security defect. Not sure how you'd adjudicate it, so it's pie-in-the-sky, but take it out of the realm of the class-action lawsuit and see how serious these manufacturers become about correctness.
Businesses fear only the big stick; it should be swung on the consumer's behalf.