I would suggest your comparison to tobacco advertising is flawed.
WHO estimates the removal of advertising and marketing resulted in a 7% decline in tobacco consumption in European countries where the bans were in-place and resulted in significantly lower numbers of new smokers.
From numbers released by tobacco companies, the marketing and advertising budgets were still being spent but on initiatives to help sellers versus advertising targeting consumers (i.e. smoking areas/smoking "gardens" in pubs and bars).
And the bans paved the way for tougher anti-smoking legislation as opinion wasn't being swayed by consumer focussed advertising.
Unfortunately, almost none of the issues with cyber security overlap with tobacco - cheap (relative to cost of manufacturing), poorly supported IoT/similar low cost devices (versus hugely profitable tobacco where even with huge taxes on products, tobacco manufacturers made billions) means vendors have even more reason to disappear while offering no support. And a "replace rather than fix" policy would eventually come into conflict with other EU policies around environmental issues.
My suspicion is that the "€180-290 billion saved" figure won't come from manufacturers if end users (companies rather than individuals - per incident cost for individuals likely don't pay for support or carry out maintenance for a variety of reasons from stability to system validation to poor practice (amongst others).
The "market" approach seems to be cyber insurance but it's immature at present based on spiralling costs and how it is implemented/paid out. I suspect it will arrive at a workable solution long before the manufacturer regulation approach without making products unviable in the EU
(That's not meant as a general "regulation" vs "free market" opinion, just a criticism of attempting to regulate an area that is poorly understood and I'm sure regulations will become a part of this in coming decades as viable paths appear)