That's apparently already changing in the EU, where software vulnerabilities mean the company is liable for damages. The only way out is to straight up not make any money (not just from direct sales) from the software.
I'm thrilled that companies are liable for crap that ends up hurting other people. I don't think they should get an easy way out, and I also like that there's a carve out for people who aren't making money off of software (like OSS devs.)
Is the burden of proof on me, the developer? Do I need to prove in perpetuity that I didn’t get a job or a free flight to talk at a conference because of my free software? (Which had a flaw that hurt someone)
But I do think that this is a much better start than letting companies ignore the impact to software consumers or having open source devs be on the hook for volunteer work.