Oh look over there, a squirrel.
This is a nice deflection and I'm glad they mentioned "provide secure upgrade paths" thought they missed the "at a price" from the end of that.
I don't think it is governments place to tell companies to implement security, government should be there to do something about if they don't and actually do something rather than fines which are a waste of time.
There's two things that may fix IoT security in my mind.
Mandatory stated life of product updates when you buy it.
A system where a company gets a score out of 5 depending on how much security testing the device has had based on common vulnerabilities that really should not be a problem these days, e.g. hard coded passwords, no encryption, access from the internet when not needed to name a few.