The problem is that you can get away with minimal security for a long time. Sure, if you get hit, shit hits the fan. But by then, it's quite likely that all competitors that spend money and time on security and good infrastructure are long gone.
This is worsened by the fact that it's very hard for laypeople to assess the security of a specific application and that, by now, "cyberattack" has become common enough that it's easily accepted as an excuse.
> Which is why certifications, audits, and minimum mandated standards are critically important.
Not sure about that. All the security standards want me to run software written in an unsafe language as root on every device, intentionally parsing malicious inputs continuously.
Pretty clearly, the standards have to be effective and well-designed. And yes, there are problems with that.
But the point remains that markets do very poorly at rare and/or cumulative risks. And that's the comparison I'm making. The market of and by itself will give you a race to the bottom in standards.
A longer-term view, whether through government regulation and oversight, social suasion, religious morality and ethics, or (possibly) insurance-oriented risk management (yes, a market mechanism, though something of an exception to the rule), will typically operate by the mechanisms I've described above. That there may be poor implementations doesn't obviate the fact that there can also be good ones, and that that's the goal we're aiming for.
This is worsened by the fact that it's very hard for laypeople to assess the security of a specific application and that, by now, "cyberattack" has become common enough that it's easily accepted as an excuse.