Mandatory bug-bounties from major vendors
Brian Krebs proposes that software vendors should be forced to pay a bounty on all newly discovered vulnerabilities
in their products at rates that exceed those paid by spy agencies and criminal gangs. He says that the bill for this would be substantially less than one percent of gross revenues, and that it would represent a massive overall savings when you factor in the cost to all the businesses and individuals who are harmed by security vulnerabilities. He doesn't explain what to do with popular, free/open software though.