> CVEs pop up decades after products have died.

Are they even covered within the warranty period? I never tried it, but I think I'd have an interesting conversation if I went to a shop and told them I want to return a product because while it works flawlessly it's got a vulnerability. The standard procedure is usually getting a replacement, but this isn't possible here as the whole product range is affected.

Why not try to combine it with some right-to-repair-friendly stuff? If, after the cessation of support, you release any and all source code and documentation needed for any person competent in the relevant sciences and arts to maintain the device and repair any CVEs, you're off the hook for liability.

I had played around with the idea of requiring support for 3/5/7/10/whatever years after the cessation of sale, kind of like how car manufacturers are required to offer parts support for 10 years after sale, but I can see that causing enough overhead that many tech devices simply would never get made.

Apparently if you sell someone an airplane you're on the hook for 18 years of safe operation.

"I just can't see how anyone would ever invest again..."

I think you underestimate the (a) greed and (b) capabilities of the people involved.

Well, some limits of support should be given:

- How about 5 years minimum for hardware? And as much as the vendor wants to promise.

- How about that requiring that vendors at least allow for customers to pay for extended support for another 5 years by paying 20% of the initial price per year.

It is just ridiculous that currently many devices are insecure 3 months out of the gate.