It depends how much the labels shape behavior. I'm envisioning a "high-tier" label that says that risks X, Y and Z have been addressed by M means and that, e.g., addressing risk Z meant sweeping stated databases for known security holes, committing to security-only patches for N years, and hiring J compan(ies) to sweep your firmware within specified parameters -- or whatever other things from the wish list of infosec pros that people like posters in this thread choose to advocate for. Hopefully that would be better than what we have now, which is mainly price/churn-driven minimum viable product.
Re your exception: I don't think mandatory labels are on the horizon in the USA, but this could indeed be a problem under other regulatory regimes.
It depends how much the labels shape behavior. I'm envisioning a "high-tier" label that says that risks X, Y and Z have been addressed by M means and that, e.g., addressing risk Z meant sweeping stated databases for known security holes, committing to security-only patches for N years, and hiring J compan(ies) to sweep your firmware within specified parameters -- or whatever other things from the wish list of infosec pros that people like posters in this thread choose to advocate for. Hopefully that would be better than what we have now, which is mainly price/churn-driven minimum viable product.
Re your exception: I don't think mandatory labels are on the horizon in the USA, but this could indeed be a problem under other regulatory regimes.