Programmatic attacks (Mercenary and so on) are the OS developer’s problem.
If one thinks about it, this is inherently true because the OS developer (any developer of any software in fact) is the one that has access to the code base and can fix the problem. It is even true for FOSS to which anyone has access to the code.
However, ideologically and legally within the global legal system, software publishers have no obligation to do much of anything unless there is a contract that states in-detail the security requirements, shared responsibility, etc. Comprehensively written contracts that favor the buyer/client are very, very rare because no software publisher in their right mind would sign and commit to such a contract.
In all other instances, as in the case of the average home user that has a system with any OS on it, software publishers universally utilize EULAs and Terms of Service that absolve them of virtually all responsibility and accountability for most anything. For security solutions publishers, their liability is minimal when it comes to protection failures. For any software publisher their liability can be absolutely zero within specific jurisdictions.
Now when it comes to software that can cause physical harm and death, then there are established cases where courts across the globe have determined that the software publisher was liable and issued judgements against the defendant (the software publisher). A famous case is an early medical radiographic (x-ray) system that used a software that over-exposed ("dosed") patients with lethal amounts of radiation, and they all died as a result.
The software industry is this way because requiring publishers to meet secure coding, audits - both self and external independent audits of both code and the overall development system, pentesting their products, attestations of comprehensive secure coding and oversight, and so on is considered unreasonable and economically unviable.
The sole exception is regulations that impose requirements onto software publishers - but none of the regulations are effective for various reasons. Most are weak and accomplish nothing.
The EU is the only one that I know of that requires software publishers to patch vulnerabilities for five (5) years after its release - and there is a huge effort by the industry against it. Some publishers have or plan on exiting the EU because of it. Most will continue but raise prices to cover the regulatory overhead expense. So, in the end, the buyer always assumes the cost.
But the world thinks "Security is software" and there's not much that can be done at this point. Things will never be as good as they are at this moment. It will only become progressively worse. And before someone brings up AI - no, this will not definitively solve the problems because the "Users want to use stuff" model + people will still be a part of the equation. AI might have a chance if people are completely removed from the equation.
