People love the idea of holding software company's feet to the fire when it comes to security. You hear a lot about software liabilities, how "inevitable" they are for example, at CFR meetings or other policy forums. You hear about mandatory FDA-enforced or Commerce enforced recalls for cars or other IoT devices with software vulnerabilities.
But if you do that, you make it so every hacker in the world can figure out the cost of a disclosed vulnerability, which means shorting stock becomes the best bug bounty in the world. "Why not just control all vulnerability disclosure?" the policy makers then say. Fantastic idea. I wonder if THAT will have any unintended consequences?