A better option is to create a government testing and patching standard, fips-1024 let's say, and only buy devices that comply. The private industry usually follows and innovates around said standards, whereas the forceful regulatory approach seems to fail quite often.
The principle that IoT vending should not be lawless, and that you should not be allowed to sell made-for-pwn'ing shite is good. The idea that it is a bad thing for stuff to join a botnet even if the botnet doesn't harm the stuff's owner is also right.
Whether this or any other particular piece of legislation actual helps with that is not known yet. Whether the legislation gets used as barrier to entry to keep secure products out of the market while giving conforming but dodgy products the green light is also not seen.
The best I can say is that, from the article, the senators seem to be taking a sensible attitude, and the description of the bill is has no obvious stupidities.
I expect that legislation will matter less than the attitude courts around the world take to things as the practical consequences of IoT are brought before them one case at a time.
