This is worse. This leads to lawyers making the critical decisions instead of regulators and auditors. The latter group at least has some familiarity with the subject area.
One leads to the other. Lawyers start making a bunch of decisions on corporate strategy and product design because they have to anticipate the rulings of judges and juries. Their decisions are usually going to come late in the game though, leading to lots of last minute, shoehorned changes because they aren't able to review early enough in the development process (since lawyers are expensive and you can't get enough of them be involved early).
Only if you have money to get to court. Everybody else would be left depending on the good will of big companies. That's why courts should be the last resort, not the first. We need regulation, and if everything else fails the courts should be the way to go.
Liability is generally a much better approach than specific regulation. Lawsuits happen after the fact and concern actual harm suffered by actual people. Damages are assigned based on this actual harm. That means that in liability system the price of bad behavior is approximately the harm it causes, which is exactly what you want. Liability doesn't require everyone to actually go to court, because almost all lawsuits or threats thereof are settled based on expectations shaped by previous cases that did go to court. Further, class action lawsuits allow large numbers of harmed people to be represented in a single action at no cost to themselves.
Regulation, on the other hand, is an ex ante affair. It involves some central planning authority, whether Congress or some administrative agency, trying to create rules that they believe will prevent future problems. The regulator will always get it wrong to some extent, often to a very large extent. Rules can be too specific, stifling innovations that would allow actors to achieve the same or better results with different methods. They can be too strict or too loose. The rule making process is also necessarily slow, so regulations tend to come too late and linger too long after technology has moved on. Finally, regulations are ultimately political, driven by what will translate into votes, not necessarily efficiency. If they represent a right-wing constituency, that will mean looser regulation; if a left-wing constituency, tighter regulation.
What's interesting about liability is that companies will buy insurance for it. The insurance companies will demand compliance with certain rules in order to be covered--essentially private regulations. But unlike government regulation, there are multiple competing insurance companies. The resulting market for insurance means that the market searches for the optimal balance between harm prevention and profitability. Insurance companies have a strong incentive to devise the rules that provide the optimum level of security for lowest cost possible.
I agree that liability is probably the best approach and is long overdue for software. The problem is the standard for proving security nonfeasance? My thought is that if your product was found to have a security problem and you did not have a security audit performed by licensed security auditor then you are liable. But I'm not sure there are licensed security auditors in the way, for instance, a CPA is licensed. Over time, if a security issue is publicly reported (e.g. a CVE) and you haven't fixed it within a certain amount of time then you are also liable. The length of time a vendor must provide security updates to a product for free should probably be defined in law, e.g. 2 years.
> It could also be done by allowing people to sue makers of insecure software or hardware.
What about free/open source software? Should society punish those idiots who had the gaul to contribute their free time to a project that everyone can use free of charge?
