It turns out that there are moves afoot to address the problems of software reliability from a legal viewpoint, as Dr. Trey Herr explains on Lawfare. For example:
Liability is the legal mechanism to hold a goods and services provider accountable for the quality, security and safety of those goods and services. Determining acceptable quality, security and safety requires clear standards. In the jargon of the legal class, this refers to a “duty of care”—the minimum obligation required of a provider whose products might harm their users. The duty of care becomes critically important in defining the standard of behavior expected of final goods assemblers. An effective standard might well create legal obligations to set “end-of-life” dates for software, remove copyright protections that inhibit security research, or block the use of certain software languages that have inherent flaws or make it difficult to produce code with few errors.
But as a 2016 National Institute of Standards and Technology (NIST) report noted, determining which errors are “‘sloppy and easily avoidable’ is not a trivial matter.” Even avoiding simple errors is not an affirmation of sterling quality. A handful of efforts, new and old, try to address this problem. Some look at specific high-impact sectors like power generation and distribution, and medical device manufacturing. Others are more holistic, such as Microsoft’s Security Development Lifecycle, a decade-plus-long effort from SAFE Code and their Fundamental Practices for Secure Software Development, and the still new Framework for Secure Software from BSA. NTIA’s Software Bill of Materials (SBOM) effort is complementary in addressing how organizations track what code they use rather than how it is developed or patched.
The article’s a bit of a slog, but if you ponder using more than murky economic tools to encourage better software, this may prove to be a good starting point.