Re: "I'd go for user education"
Sorry, that simply won't work. The only thing that will make suppliers & importers take notice is liability for unpatched flaws after a certain time. You know the sort of thing that would happen in the traditional hardware world of cars, etc, when some safety factor comes to light.
Much as I distrust government meddling in technology, having some legal standards for, say, 5 years after the sale of any "connected device" would be a more workable answer. Sure those companies will bitch about profitability, etc, but the reality is they are currently shitting on the consumers by not doing it right in the first place (and by "right" I mean having a proper system for support and patching planned for and used, as some bugs are inevitably going to happen).