First - that vulnerabilities are 'known' does not mean any specific instance of vulnerability is 'known'.
Second - that 'most attacks occur some other way' isn't hugely relevant. We don't 'not check the door locks' because most criminals 'go in through the window'.
Having a government entity knock on the doors and remind folks that they have a problem gives the issue impetus, and even legitimacy within the organization aka instead of 'powerless IT figure from sector 8G' saying we have a problem, now, it's the Government saying 'you should to fix this' thereby giving execs the mandate to spend on it.
This is exactly what the government should be doing - it's proportional, non-invasive, note hugely expensive or complicated, they're not making legal requirements here (because none are needed) etc..
Your litany of solutions is not comprehensive, moreover, item #5 'penalize those for not appropriately respond to bug bounty' is a bit glib - this would definitely be government overstepping their bounds. There are always bugs in software. Weighing the risk v. consequences is not something gov can do.
GDPR, SEC, HIPAA, NYDFS and NYSE all mandate risk management measures if not outright penalize companies and citizens for data breaches after the fact which unfortunately means your Grandmas Syphillis medication has to hit Twitter before there’s intervention.
Without strong financial penalties or an impetus to fix at least critical vulns earlier we’ll continue with the status quo.
I don't want that for you, your Grandma or my own. You shouldn’t want it either.
> 1. Over 80% of breaches happen because of KNOWN but unfixed vulnerabilities.
EQUIFAAAAAAAAAAAAAX!!!!!!!!!
(Yes, the Equifax hack was due to a widely-known vulnerability in Apache Commons that apparently the DHS warned about but Equifax didn't bother to patch it.)
Also, knowing that hospital equipment still runs Windows XP (with some sturdy-but-aged machines running Windows 2000), I'm not sure if there's any good benefit for this. Sure, small businesses might take action on a genuine oversight but larger businesses tend to know already that their systems are insecure (even when taking state-level/sponsored attack out of the equation).
> 1. Over 80% of breaches happen because of KNOWN but unfixed vulnerabilities.
This reason only makes sense to me if I assume that all KNOWN vulnerabilities are (and remain) UNFIXED. Assuming otherwise doesn't make sense because I can't tell how many attacks the KNOWN and FIXED vulnerabilities prevented.
> Most attacks lead with phishing and account takeovers not software vulns.
This might be true, but you seem to suggest that we can only concentrate on preventing one type of attack at a time, and therefore we should only pick defensive strategies for the most common attack,
To clarify, I’m saying governments and regulatory bodies should improve mandates for fixing critical issues with the highest risk first (ie. Remediation).
It’s the same reason state govs in the US mandate car insurance or bonds for drivers.
Companies like people have limited resources, time and money so they should focus on where the risk lies.
I would rather hope that EU/Anglosphere/Japan/Korea etc. 'team up' on this one and at minimum exchange notes and best practices.