[eropple]

> But it does mean that companies can cut costs by just not patching software at all or for a short period (as today).

Sure. Hence the use of a very big stick.

The lack of restraint on bad actors is a societal problem, not an economic one.

[ghaff]

Of course, it's a big stick for both vendors and users. Vendors need to patch the software for N years (or whatever) and, given a competitive market, users have to pay for it.