I would actually prefer a low that (in addition?) required a reasonable standard of care with regard to security, imposed responsibility for consequential loss for negligence, and left the courts to interpret it.
Yes, but 1) I would like to make it clearer that failing to meet generally accepted good security practice is negligence, and 2) make importers and retailers liable to some extent for negligence with regard to security, not just manufacturers.
I would apply this to hardware, not pure software, or separately sold software.