How about...
...making it illegal to run a public computer system which is susceptible to known malware.
I'm feeling generous: perhaps the authorities could endorse a register of known vulnerabilities which must be fixed or the CxO gets a vacation in the big house. If you get caught by a new one then there could be leniency - as long as you had a response plan.
Biting the hand that feeds IT
