Mandating specific practices with regard to technologies is probably not possible, but we can certainly come up with a general framework for deciding the degree of recklessness. For example, the penalty for allowing data to be stolen via an exploit for which a security fix was issued months prior should be more severe than via a zero-day.
