When the shell company implodes ...
what then ? End users have kit that is vulnerable. OK: the importers are liable, what can they do ? The source code for these things will prolly not be in escrow so they cannot be patched, even if it was and if (big if) it is possible to patch & build a working image from the code - how do they get it on to end users' kit ? These things are often set up to get patches from the makers' machines - which are not longer there.
Should the importers be made to buy the kit back ? Even if this happens many end users will not want to due to the hassle involved.
This needs much more thought.