Fair, but we are not expecting manufacturers to make bullet-proof devices. We are expecting them to make devices that do not let you achieve root access over the internet using an unchanged username and password combination. That's a very easy and specific thing to regulate.
But they pretty much do have to be bulletproof. Every single device connected to the Internet now effectively has a fully automated machine gun firing at it all the time. One gap in the armor is all it takes.
Well, the NSA let a low level contractor (Snowden) walk off with a thumb drive containing half their archive. That's not far removed from not changing the default root password.
