Wouldn’t that be more of a problem if security is standardized though? If everyone has the same security, the same flaw makes everyone vulnerable. Multiple competing security types diversify the pool and prevent one flaw from causing all devices being susceptible to the same attack.

I fail to see how standardizing how long products are supported and how vulnerability reports are processed would cause everyone to have less security.

I can see it now. Anti-vax equivalents as IoT users...

“I refuse to change away from my Linux2 busybox/php based home automation devices. https gives you autism!”

(Maybe we can maintain “herd immunity” by abandoning ipv4, and moving the “healthy herd” all over to an ipv6 only internet?)