(1) The owner of a device attached to the Internet must make a reasonable effort to maintain it. Specifically, they must install security updates in a timely fashion. In addition, they must disconnect the device if they are unable to maintain it. No device or piece of software lasts forever. You don't get to keep using a PC with Windows XP, or a 10 year old router with dozens of known security holes -- you need to throw them away. Failure to do so will make the owner liable for damages if their device is used in a DDOS attack.
Useless. New devices are at nearly as much risk as old devices; that it's new should not in any way make you feel secure. You'll also be fighting legitimate businesses with legitimate use cases for, say, Windows '95. Specifically, that their legacy software and drivers have never been upgraded by the people who wrote them, and don't work on newer versions of Windows.
(2) Network operators shall be required to ensure that packets originating on their network have a valid source address (e.g. use filters at all ingress points). Failure to do so will make them liable for damages related to the DDOS attack.
(3) Network operators shall be required to provide rapid technical assistance to trace DDOS traffic that is passing through their network, so that it can be traced back to it's source. Failure to do so will make them liable for damages related to the DDOS attack.
Also useless. The modern day DDoS isn't necessarily about flooding a site with spoofed packets from a small number of high-bandwidth machines. It's about sending a tiny number of legit packets from an enormous number of compromised hosts. No outbound packet filter is going to be able to discern the good from the bad (and since the host is already compromised in the first place, there's no help there either).
There are exceptions, of course; for example, many IoT devices should be nuked from orbit, as they have no legitimate reason to EVER talk to most web sites.
I do agree that people should be held accountable for having insecure crap on the Internet and allowing it to participate in attacks. Detection and enforcement, however, is much more difficult than one would think.