I think the policy and regulatory approach is something that is probably best left in your hands. For us, the basics do matter, though, and organizations do need to do them. I think the issue now is working with them, and we're trying to get the technology companies to actually improve things.
The problem is that you have to get secure by configuration. It might not have been deliberate that the vulnerability was there and they weren't doing the basics. It might have been a simple mistake by a system administrator, but it shouldn't be that easy to undermine your security because a sysadmin typed in the wrong command. There's just something fundamentally wrong.
For computer scientists and engineers, it's the equivalent of designing a bridge: If we forgot to put in one rivet, the bridge would collapse. That's not how engineers design bridges. The industry needs to figure out how to make this so that the technology isn't in such a fragile state from a cybersecurity perspective.
Those are some key things we need to do, but whether regulation is the right approach is, I think, best left in your hands. As a public servant, I will faithfully implement the directions we're given.