It is far more complex than that. How many users have no lock screen, weak passwords, use old versions of operating systems, let others play with their devices, share accounts etc?
What a user wants is for their devices to perform a job such as communication and entertainment. It gets very confusing for technical folk who then fail to distinguish between goals and tasks. (The software we write is focussed on tasks.) Here is an excellent article on the distinction: http://www.drdobbs.com/goal-directed-software-design/1844099...
"security" as such is not a goal - it is more an annoyance. It is why you have to have a lock screen (which gets in the way of the goals), "strong" passwords, and worry about compromise. Performing maintenance (which is what updates are about) are also not helping the goals - they are actually more work that also gets in the way of the goals.
A good way of looking at security is not as a binary on/off thing, but rather as an expense for someone who wants "your stuff". Does it cost an attacker 1 cent, a dollar, a million dollars? If "security" was part of the purchase decision process then it would be mentioned in the specs in some sort of measurable way.
Ultimately what will happen will only happen because of the economics or laws. Laws that try to put liability on the developers won't work for many practical reasons. What would be most effective is for it to be easy to for consumers to respond by taking their money elsewhere. This happens when there is low barriers of entry to the market, and low/no switching costs, as well as the items being relatively cheap. This is happening to various degrees, although it is fought tooth and nail by some (eg carriers in the US).