I think it depends on where you are and what is being done. Some places have restrictions on what companies can deny responsibility for, so there is usually (not bothering to look it up this time) a clause in the EULA saying the if part of it is invalidated, the rest still applies.
"There should be a law" is, perhaps, a better starting point. I've thought on this topic for a while and have some ideas about what should happen and how and when, but I am sure I'm missing some important issues and my wording needs improvement. Feel free to take my ideas and improve on them and pass them on to the appropriate agencies. Since "Comments owned by the poster" is clearly indicated, I hereby release this post and any of my comments related specifically to this post into the public domain.
Fast changes are bad for business so I believe this first part of my suggestion for new laws should be discussed now with an intent to have the laws become binding in 2025 at a state level.
BMC software law provision one.
The state of [insert state here] shall create and fund an agency with a free and public interface so that any software which is used to provide service or sold may be reported by the buyer as having a security vulnerability with replaceable results. If the buyer submits such a vulnerability to the state agency, there will be posted a public notice that the vulnerability has been reported which the software or software service vendor must review and patch in ninety days from the date of public notice. Software and software service vendors may request automatic notice by email or letter with proof of identity, of such public notices. Should a software or software service vendor fail to patch, and offer the patch without additional cost to all users of the software or software service vendor, the state of [insert state here] shall grant a permanent license to use the software or software service to the first reporter, individual or company or organization, of the vulnerability. The software vendor who fails to offer a free upgrade to all users of the software or software service without charge, shall be required to provide the software or software service without charge to the individual who first reported the vulnerability so long a the company continues to offer that software, software service or derivations on that software or software service commercially. This requirement shall apply to all sellers and buyers who reside or are conducting business within [insert state here] with the provision that if one of the entities involved in the transaction is outside of the jurisdiction of [insert state here] then all other commercial interactions by the entity outside of the jurisdiction of [insert state here] shall be prohibited within [insert state here] until the terms of this law are fulfilled.
Ten years is plenty of time for a state government agency to be formed and for companies and software developers to adjust to their business models to the first provision of of my proposed legislation. I think with that in mind, fifteen years is enough for the second provision of my proposed laws, and I think this should be at a federal level. I'd suggest that the NSA is the appropriate agency, but I'm open to a new federal agency being created or assignment to a better suited agency.
BMC software law provision two.
The federal government shall mandate [insert agency here] to provide a publicly accessible interface for the submission of software source code in the state used for development and production of the software and replicable instructions for any binary program produced using that source code which is offered for sale or as part of a paid service, hereafter referred to as replicable programming. Any person, company or organization offering software or service utilizing software for a fee must submit the replicable programming to the [insert agency here] interface within ninety days of the first sale or purchase of replicable programming or any buyer of the replicable programming shall be entitled to a full refund of fees. If the interface for public submission becomes unavailable to the public due to a technical problem or limitation, an alternate option for submission through the postal service shall be offered, but only if such submission is posted within sixty days of purchase. The submission of replicable programming shall become public and offered without cost to the public through the offices of the Library of Congress after a period of ten years from the date of original submission unless the submitter or legal owner of the applicable intellectual property of the submitter requests an extension of exclusive copyright and non-publication for a period not to extend beyond ten years from the request for such an extension. Extensions may be requested repeatedly but shall be denied for any period which would extend beyond fifty years from the time of the original submission, after which the submission shall become public. Exceptions may only be granted by a federal court, and only for a period of ten additional years at a time, if the submission contains information vital to national security. The replicable programming may be reviewed by authorized government agencies for security vulnerabilities and any which are not patched within a period specified by [insert agency here], not to exceed 120 days, may be made public by [insert agency here].