My thought was something like UL certification on IT devices, the way they certify that products are electrically safe and won't start fires, they could certify at minimum that they don't have any open ports by default, are not delivered with default well-known or easily guessed passwords, are not running ancient versions of ssh or php or other software, are resistant to online attacks at least at a "script kiddie" level, etc.
The problem with that, however, is that vulnerabilites are constantly discovered, and what is safe today is not safe tomorrow. Electrical safety and fire resistance is much more permanent: if it's done right, it's likely to be safe for a long time.
We already have that. The Common Criteria (ISO 15408) has existed for literal decades at this point and is required for usage in government systems.
Vendors just find it too difficult to certify against attacks at the “script kiddie” level, so they lobbied the government to lower the standards so even the lowest rated systems, ones not even audited for security, are allowed for general usage in critical systems.
The large commercial vendors, such as Apple, Microsoft, or Amazon, have spent billions of dollars and literal decades trying to improve their security and have uniformly failed to certify that they can deploy any system that can protect against small commercial teams unlike actual high security vendors who can produce systems secure against even state actors.
The problem with that, however, is that vulnerabilites are constantly discovered, and what is safe today is not safe tomorrow. Electrical safety and fire resistance is much more permanent: if it's done right, it's likely to be safe for a long time.