"it's easy to create some knee-jerk legislation which has unintended bad consequences"
As true as that is, it might be time to put an end to the free lunch buffet that companies have been enjoying since the dawn of the Internet. Borkzilla is first in line for never accepting any liability yet is there any count of the man-years that its successive OSes have cost in time and resources ? Of course not.
I am obviously not advocating that the major OS companies be held liable for every Tom, Dick & Harry's multiple issues - they would shut shop immediately and with good reason.
But if we can't have a guarantee that the software works 100% of the time, we should at least have a guarantee that the OS vendor has every verification and control in place to ensure that, at least as far as security is concerned, every possible contingency that has been thought of has been addressed.
Then, of course, it will be the flying circus of clown acts to list all possible contingencies that should bring liability. I'm sure there's quite a list, but not salting and hashing passwords is something that should definitely entail jail time - and for the Board, not for the developers.