Then the obvious solution is to make them care. We penalise corporations for financial negligence and failing to take proper precautions and report correctly. We increasingly penalise them for violations of privacy and data protection rules, where similarly they are expected and required to provide adequate infrastructure to comply with the regulatory obligations. If failing to implement reasonable security practices and provide appropriate security updates to users with no strings attached started costing the hardware manufacturers and software developers and resellers the same kinds of penalty per violation as some of the financial or privacy regulations, we'd soon see those security updates universally available without forcing all the unwanted user-hostile changes at the same time.
There isn't law that mandates they split security updates from feature updates.
I'm suggesting that perhaps there should be.
In what other area of consumer protection law does a manufacturer or reseller get to provide a seriously defective product and then refuse to deal with the problem unless the buyer also accepts other changes that might make the product significantly different and possibly in their view significantly worse than the one they chose to buy?
The principle is important here. Your example about Paint 3D is cute, but in reality, there are plenty of other examples where user-hostile software changes have been pushed out after purchase, including those that disabled previously available functionality, reduced privacy, introduced advertising, or dramatically changed the look and feel of the product. People shouldn't be forced to accept these kinds of unwanted retrospective changes to the product they originally chose to buy just to maintain an adequate level of security.
Then the obvious solution is to make them care. We penalise corporations for financial negligence and failing to take proper precautions and report correctly. We increasingly penalise them for violations of privacy and data protection rules, where similarly they are expected and required to provide adequate infrastructure to comply with the regulatory obligations. If failing to implement reasonable security practices and provide appropriate security updates to users with no strings attached started costing the hardware manufacturers and software developers and resellers the same kinds of penalty per violation as some of the financial or privacy regulations, we'd soon see those security updates universally available without forcing all the unwanted user-hostile changes at the same time.