If these systems are owned by private people then the company who designed it/deployed it is liable. If I have root on the device then it's my fault if I screw up, if I don't have root and it's just a plug and play appliance then whoever designed it/sold it can be liable. This solves the issue of "grandma buying an IoT washing machine" mentioned in another comment as the manufacturer of the machines can be sued directly without bothering grandma (besides a recall program and/or firmware update to patch the vulnerabilities).
You seem familiar with hardware and software hacking, but not the creativity of bad-faith legal hacking ;-)
If you pass that law on Day Zero, I claim that on Day One, manufacturers provide some horribly arcane command-line interface for rooting lightbulbs and washing machines, and add some boilerplate to their shrink-wrap licenses forcing customers to acknowledge that they have admin privileges on their devices.
Problem solved for them, Granny is liable again according to your system.
Does the license auto-root the device? If yes, then it's an obviously dishonest circumvention of the law and judges will see right through it. If not, then the manufacturer has to prove the device was rooted if they want to pass liability to someone else.
If that still doesn't solve the problem, the media will take care of it. "Buying this smart lightbulb puts you at risk of being sued for thousands of $$$" can't be good for manufacturers and they'd want to avoid the bad press.
It seems simpler and more direct for the media to say,
"Selling this insecure IoT-device/phone/router/tv that requires every consumer to become a security expert, and taking no responsibility for OTA patches and so forth, puts you at risk for paying hundreds of millions of dollars in fines and/or damages."
