whether and how quickly it will be patched
It's something that could be baked into the standards behind the stickers. The sticker would tell you for how many years the manufacturer has committed to provide patches. (That could be a powerful market incentive - consumers aren't going to like shelling out good money on an appliance that has a sticker on the front telling them it'll be going in the bin after 3 years.) The standard would specify how promptly fixes for any CVE-logged vulnerability must be delivered during that support lifetime. If the manufacturer fails to meet the standard, they used the sticker improperly and get fined by the regulator. Add on mandatory requirements for source code escrow and a financial bond to fund maintenance if the company folds during the product's lifetime, and you could come up with a regulatory system that would improve IoT security in a useful way.
I mean I doubt they will, but they could.