> Which is why certifications, audits, and minimum mandated standards are critically important.
Not sure about that. All the security standards want me to run software written in an unsafe language as root on every device, intentionally parsing malicious inputs continuously.
Pretty clearly, the standards have to be effective and well-designed. And yes, there are problems with that.
But the point remains that markets do very poorly at rare and/or cumulative risks. And that's the comparison I'm making. The market of and by itself will give you a race to the bottom in standards.
A longer-term view, whether through government regulation and oversight, social suasion, religious morality and ethics, or (possibly) insurance-oriented risk management (yes, a market mechanism, though something of an exception to the rule), will typically operate by the mechanisms I've described above. That there may be poor implementations doesn't obviate the fact that there can also be good ones, and that that's the goal we're aiming for.
The market just yawns at this stuff, until it gets fragged. Then it forgets and the cycle repeats.