I expect that even the most backwards company would get those systems offline in less than 24 hours.
Your optimism is adorable.
Also, of course, this proposal has technical issues, such as identifying infected machines and their owners; and legal ones, such as an unclear basis for threatening charges against companies (much less officers).
We have a vast body of experience with using regulatory regimes against private-sector offenders. I think it's the mechanism most likely to be broadly efficacious in improving IT security. But it's neither precise nor fast. There's no reason to believe it will be either of those things in this case. So "just enforce the law" is not a solution.
And like it or not, these sorts of actions by law enforcement will almost certainly continue. Now the government has a taste for it, they will be loathe to surrender the power.