I think that I disagree with everyone in this thread so far.
I don't think this paper is "common sense", or else we wouldn't be in the mess that we are all in now. (Of course, I think that "common sense" is really just an excuse to mock people who don't share your background or expertise, so maybe I am biased.)
While the recommendations in the paper *do* make sense, I think the most crucial issue was identified in this sidebar on pages 14 and 15:
Identify and advance incentives for incorporating IoT security. Policymakers, legislators, and stakeholders need to consider ways to better incentivize efforts to enhance the security of IoT. In the current environment, it is too often unclear who bears responsibility for the security of a given product or system. In addition, the costs of poor security are often not borne by those best positioned to increase security. DHS and all other stakeholders need to consider how tort liability, cyber insurance, legislation, regulation, voluntary certification management, standards-settings initiatives, voluntary industry-level initiatives, and other mechanisms could improve security while still encouraging economic activity and groundbreaking innovation. Going forward, DHS will convene with partners to discuss these critical matters and solicit ideas and feedback.
Giving people with power to solve problems the responsibility to solve them along with proper rewards if they do seems quite obvious, so maybe that is what you meant by "common sense"? :)
I'm glad that DHS seems to "get it", but I am also nervous because I doubt that they can make an impact with legislators and regulators here. Setting up markets so they align with the best interests of society is likely to be considered government meddling by many; especially business folks who instinctively fear and hate any constraints on their activities.
Sure I can agree with you that "common sense" doesn't seem to be that common as we wouldn't have the current situation. So at the moment I don't know if this is the right thing to talk about. What I am a bit worried about is that everytime regulators or even in the extreme case the government comes in to set up rules, strange things happen. In the extreme case when the government steps in it will need technical advice otherwise laws appear where you have to be discussing about privacy again or where an engineer knows that these measures won't be serving anyone except everything will be getting more expensive and/or complicated. At the moment I couldn't even imagine what such a "reward" could be. Maybe certificates for IoT security which can be traded on the market if you want to release a product which isn't that secure as it should be. "To enhance security while keeping economic costs low" maybe.