Comment by iamnothere

One of the biggest problems is the lower-level chip vendors, who often require NDAs and won't allow their code to be shared publicly. The device maker has to comply with this or find another chip, which may not be available in sufficient quantities or at a realistic price point. The chip vendors don't necessarily go out of business, even if the device maker does.

Considering the global impact on security, this is an area that would make sense for regulation. At some point, the chip vendors should have to release their code to maintainers. I'd even be fine with limiting this to after the chip goes EOL! Perhaps it could come with guarantees reducing patent infringement risks, which may be where much of the vendor reluctance comes from.