National Disclosure Centers are only as good as the organizations that take their disclosures.
I worked pretty closely with the DOC CIRT when it was first formed. It did not matter how many CIOs were involved in the process of forming it, or what they agreed to do, or what channels of communications were established. There were always groups that would not / could not work to address issues when they happened.
I don't think passing more laws has much affect on the issue either. Laws are regulatory and fall very much into the camp of attorneys, who rarely understand their implications in terms of infrastructure. Have spent many days on the phone with people for OIG seeking clarification on regulatory guidelines for handling systems, without getting the impression they understood much more than how to work the on / off switch.
This is a supply and demand problem, but a very special one. There is not enough demand for patches and security solutions prior to an incident, and there is not enough supply of secure code available to combat the threat. If anything, a solution lies with manufacturers, but there has to be a serious market for secure solutions for it to happen (and a willingness of buyers to invest in products that go down this route).
In other words, organizations needs to stop buying windows and start buying hardened Linux platforms. I honestly don't believe there is another way.