> How exactly would you insist on that?

How about "show me three different independent security audits by researchers or firms I trust who didn't find major issues in your product"? Sure, there needs to be a sizable group of people demanding that (and be willing to have it be the difference between a $500 and a $5K smart TV), but it is possible. For corporate IoT in certain settings, it might even be plausible.

You should be on top. Just as we have FCC approvals before you connect a device to 3G, landlines or to the power grid, we'll have to have approvals for all devices connected to the internet. And the top test of the list is a penetration test by a preapproved firm.

Note that open-sourcing the firmwares would go great lengths in building a better world: Less spying, more upgradeability, more confidence in the tools, easier pentests and a legacy of new code for future generations.

You're going to need either hard regulation, or liability for such breaches to change behaviour.

Mostly because, as Mirai shows, the costs are external to the consumer of the broken device.