It's one thing if you've made a conscientious and competent effort to build a secure product, and you provide security updates for a reasonable support period afterward. The point isn't to punish vendors for not being perfect; responsibility for an attack ultimately lies with the attacker, after all, and the vendor is a victim too.
Something like an open telnet port with a hard-coded password, though, is gross negligence. Heartbleed might not be the device vendor's fault, but not providing a firmware update to fix it, for devices that haven't reached a reasonable end-of-life date, is gross negligence. Continuing to ship something like Debian 3, which reached end-of-life and stopped getting security updates more than a decade ago, is gross negligence.
That's the sort of thing that vendors ought to be held liable for. Gross negligence in the security of your product makes you an (unwitting) contributor to the attack, not an innocent victim.
Getting updates actually installed on devices, after they're released by the vendor, is tricky. It may be a good idea to have the device just update itself automatically, though that opens a different can of worms relating to forced updates and people's control over the devices they own. But if the owner chooses not to install a security update within some reasonable time period after it's released, maybe the owner should be liable for some portion of the damage when the device ends up participating in an attack.