How will it work?
It's a nice idea, if it could made to work. There are 4 main pitfalls I can see:
1) How to undertake enforcement with the Chinese manufacturers
2) You move the goal posts and say it si the sellers responsibility to ensure the IoT toy complies - How many of these sellers will even be aware of the requirements? How can they in turn force the company to implement proper security at point of manufacture?
3) How do you backdate this against the millions (billions?) of devices already out there. If you can't are the manufacturers subject to fines, and if you can how to get all the users to update the devices?
4) When it comes to phones etc. will there be a time limit to push out security updates? How long would a company have to offer support - to be truly effective it would have to be until the last device stops working, and how would they know? It can be hard enough to get an update now, because each company has to work the code into their version of Android (Apple obviously only have themselves to deal with) which they use to justify delayed security updates now, and then they only provide updates in many case for perhaps 2 years.
Biting the hand that feeds IT
