Comment Difficulties... (Score 1) 23
Well one, it's bad enough for a single company to have their 'security' teams meaningfully assess the security beyond the obvious. Good security really has to be ingrained throughout the process.
The obvious security issues that something like a 'CyberUL' would catch are generally not the issues. The problem is that once a new issue is discovered, the existing install base is not be updated. Either because updates are available but IT teams are slack, or because everyone has jumped on the bandwagon of using preloaded stuff baked into products that get subsequently abandoned by their vendor or the vendor just goes defunct.
For another, any US endorsed entity calling the shots for security faces a bad credibility problem. NIST is pretty well distrusted globally now, I don't know what would happen with this initiative.