If you already don't like the idea of assigning Final Goods Assembler liability to operators of major open-source repositories, I suggest skipping to 'How To Fix The Problem' (of security vulnerabilities in end-user software, especially in IoT devices).
Personally I like the idea of a UL-style or CE-style label at least for IoT devices that asserts that the devices will be automatically updated with cryptographically-certified patches for ~5 years. Then you can manually disable the updates, you just take responsibility for the security of the device.
