Re: Standards Bodies need notice
You can hold anyone to any standard you want but you can't make a company that sold million routers with exploitable vulnerability and went out of business year later to fix anything.
However, once the regulating bodies declare non-conforming* devices to be illegal and requiring them to be taken offline, the next step should be to legitimise ISPs using the Mirai code (and other means) to identify vulnerable devices. If end users don't respond to notifications that they're using uncertified crap, they need to be sandboxed or taken offline entirely.
Drastic, yes, and needs law and regulation changes, as well as secure processes for upgrading certified devices, so it won't happen tomorrow, but to me it looks to be the only way to get rid of IoT shit that's vulnerable and can't/won't be upgraded.
* certification includes having a way to patch in case new vulnerabilities are found.