[WalterBright]

> The only way to really improve the level of security in the industry is to assign responsibility and damages to those who fail to implement it.

This is the punishment approach. What it inevitably leads to is denial, coverup, unwillingness to innovate, and not fixing problems because fixing them is an implicit admission of fault.

The better way is for no-fault, encouraging disclosure and openness about bugs, and collaboration in fixing them.

[staunton]

> What it inevitably leads to is denial, coverup, unwillingness to innovate

... and finally adoption of the required methods and reaching required standards, like countless cases of successful regulation since times immemorial.

How do you give companies a positive incentive to fix an issue if the issue does not cost them money? Fixing such an issue is a competitive disadvantage.

> The better way is for no-fault, encouraging disclosure and openness about bugs, and collaboration in fixing them.

What does that look like? Paying companies per disclosed bug in their software? State sponored white-hat hacker teams that find and fix the companies' bugs for them without disclosure? I can't think of anything that sounds realistic.

[WalterBright]

> What does that look like?

The D Language Foundation operates that way, for a real world example. The bug list is open, anyone can /view/comment on/submit a fix/ for any bug.

> Fixing such an issue is a competitive disadvantage.

Fixing problems is an advantage, not a disadvantage.