Aside from the basic “the US Chamber of Commerce says that’s class warfare!” response; I imagine that implentation would get messy fast because the measures that really matter would be fairly easy(and extremely tempting) to game with limited improvement in actual security.
Even the fairly detailed scoring system has a fair amount of wiggle room; and getting honesty out of the tech side when legal sees exposure would be tricky. On the mitigation side, there would be a great deal of pressure to define the metrics toward things that are easy and away from ones that are useful(“it’s a consumer system, best effort, and we published an advisory on our buried legalese nobody reads page telling consumers to turn it off until an update was available within 15 minutes of being advised of the issue! That’s impeccable response!”)
There would also be a strong incentive to shove the “cause” of the vulnerability onto the user(consider the example of “eco mode” in TVs, it exists primarily to demonstrate a suitably impressive adherence to energy standards and to be turned off the moment the user gets home and switches the image quality to “don’t suck”; but it was totally energy star+++ when they bought it…):
Something trivial and petty like, say, turning off uPnP for testing; but having it turn on again during setup unless the user chooses double-secret-nerd-mode rather than EZ-config; or disabling basically all the features until they press the “network setup” button(no remote vulnerabilities exist before the user screws this up!) and choose EZ-config to enable the features they actually purchased the device for. If an additional arm’s length is needed, an ‘app store’ that makes it easy and seemingly a good idea to add the dangerous features from a 3rd party is always an option.
I’m sure there are additional shoddy tricks I’m not yet thinking of.
