I think there could be "IT security codes" just as there are "building codes" to enforce security good practices. But "survive impact from a 747" is not part of our building codes, and similarly "be resilient to targeted, state sponsored cyberwarfare" should not the responsibility of the individual.
It's kind of quandary. "allow umpteen third parties to update their crap into your system" really is the current "security standard". And it's a standard that's gone along with the entirety of outsourcing as approach to cost-effectiveness. It's hard to be sympathetic to the organizations that have lived and died by this. On the other hand, you're right. One can't do this company by company, one needs standards.
The question is whether the same companies that are now suffering would be complaining tomorrow if actual standards were imposed.
It's kind of quandary. "allow umpteen third parties to update their crap into your system" really is the current "security standard". And it's a standard that's gone along with the entirety of outsourcing as approach to cost-effectiveness. It's hard to be sympathetic to the organizations that have lived and died by this. On the other hand, you're right. One can't do this company by company, one needs standards.
The question is whether the same companies that are now suffering would be complaining tomorrow if actual standards were imposed.