If software and hardware vendors were held strictly liable for security incidents that were caused by defects in their products, and businesses were held strictly liable for damages caused by security incidents caused by substandard security practices, how would the quality of security metrics be altered and what would be the mechanics of that change?