Should developer pay...
Might be a good idea, but when you realise that actual judges would have to decide what was an "avoidable flaw", it gets scary.
Yes, it really depends on the actual situation and circumstances, and I don't think that we are - at least I not for sure - be able to draw a line for this narrow border.
No, it will just fall flat for many reasons:
- What is 'neglicent coding'? And who's responsible for defining it? You either have an exhaustive list enshrined in the act, which is not expedient nor quite likely, or you have courts deciding, which do not have the required expertise.
- The 'culprit' problem. Was it the security flaw in application A? Or was it the malicious piece of software running in the background, installed due to a security flaw in application B? How can one prove that it was or wasn't the former? Or exclude that it wasn't the latter? Was it a flaw in a probably updated external (system) library, which made the application vulnerable? Just because there is a known vulnerability in application A, does this mean data has been stolen using this vulnerability?
- The 'preservation of evidence' problem? What happened after the data has been stolen due to a security flaw but before it was recognized? Has the system been modified? How can you exclude it hasn't been?
Although I understand the motivation behind (and agree to it to a certain degree) such a regulation is practically impossible to implement in a way that it fulfills this motivation.
That would definitely put a stick in the wheel of "progress" - bugs aren't hard to avoid but since support is paid and so are new releases, it is profitable to make software suboptimal. Most of the harmful code out there is 100% intentional, the more problematic code the more solutions to it get sold.
And it doesn't apply to software too, the entire industry is very concerns with not making products too good, too durable or too versatile. Planed flaws, limitations and obsolescence is everywhere you look. In some cases, like cars - this ends up costing human lives, but good luck suing a major car manufacturer because he didn't manufacture the product better. That's what EULA's are all about, the longer and more tedious the user agreement is the more chance the user doesn't even bother reading it, and agreeing to NOT SUE and that he voluntary accepts a product with all its flaws.