Following is much too long. I'm worried about tl;dr but I haven't had sufficient coffee to figure out how to condense this.
I don't know whether it was parent post's intention, but a sudden insight flashed through my head that government could require a safety recall on operating systems that <strike>have defective security by design</strike> are hosts to huge botnets.
It could be a tiered recall, where IT departments of hospital networks and similar high risk environments are required to participate (or face felony charges of criminal negligence) while the recall would be voluntary for individuals who use the OS for games. A middle tier would allow some business use of the operating system under strict safeguards, with those who violate the safeguards facing misdemeanor charges of negligence.
The company producing the defective OS would be responsible for providing a safe alternative and basic training in its use and maintenance.
The government could indemnify, on a time-limited basis, the OS producer from violation of free open source software licensing agreements, so that the company could immediately replace its defective OS with any of the available secure FOSS products to meet the recall requirements. The indemnification could be set to last only until the company had a certifiably secure OS of its own, and could applied only to the use of FOSS in meeting the recall requirements. The company would not be able to make a dime off of FOSS use.
This would be disruptive to hospitals, fire stations, and police precincts that are currently relying on an OS that would be recalled. But it is less disruptive than having those institutions compromised and robbed of their data, or sabatoged. Also it is the IT departments of these institutions who failed to use due diligence in choosing their operating systems, so the costs of the disruptions would be brought to their rightful owners. The normal political processes of institutions and agencies would assure that adequate attention would be given to the long term risks of defective designs in the future.
This would obviously be disruptive to the corporation that released the defective software, but it would not destroy that corporation. It would certainly change its focus, requiring it to provide more service (training and support in the use of the replacement OS) and crippling its marketing strategies, but that of itself is probably not a bad thing. Since it would be indemnified against the short term (probably around 5 years) violation of FOSS licenses in the recall process, it should be able to survive. To my knowledge, all current operating system developers that would be affected by this kind of recall have been boasting that they have enough cash on hand that they could weather this kind of recall.
There would be numerous secondary benefits from this as well, such as a great deal of skilled attention to fitting proprietary software to a FOSS base, a great deal of exposure and training to FOSS, the reduction in costs of malware removal and protection, greater data security for everyone, and so on.
While this would not directly remove any of the current botnet threats, I don't realistically see any way that would be possible. So long as OS designs with defective security are being used extensively, those threats are not going to go away. Instead we should look for ways to quickly force the change from defective OSs to secure OSs, and begin by focusing on those areas where the risks are highest.
A government recall program, similar to what was used in the 1960s to guide the automotive industry into designing safer vehicles, is one approach to this kind of problem that we know can work.