I agree with what you're saying. I don't have enough of knowledge of EU law or the full text of the CRA to make a judgement about it specifically. I was just sharing my point of view on software regulation generally.
> Company B should not be held liable for the misuse of their bolt by company C
Putting aside this specific analogy, but on this topic: I do generally think that implied warranties are a good thing, and I don't think it should be legal to disclaim them in all scenarios. Most other professionals are held to professional liability standards, and it is expected that they follow certain basic standards when they practice.
Consider basic best practices, like testing and documentation. It probably is fine if a hobby video game developer doesn't do these things, but if you are putting out software that claims to be intended for "enterprise" or "commercial" use, it is certainly reasonable for others to expect that this software is "fit for this particular purpose", and was built with good software engineering methodology.
I do think it shouldn't be permissible to hide behind a shrink-wrap liability disclaimer when publishing software claimed to be of "commercial" or "enterprise" quality that doesn't even meet basic standard of rigor.
What software really needs right now is a standardized way to measure development quality, and some legal guardrails around standards for dependency management.
I am not sure that "commercial" or "enterprise" implies anything in terms of quality or should. "enterprise" for example is defined as "Enterprise software, or enterprise application software, is computer software used by organizations rather than individual users." by the following aws page[1].
Aerospace software already has to follow aerospace regulations, medical software already has to meet medical regulations.
Holding a company responsible for selling software with implicit claims but a liability disclaimer makes sense to me. Clarity in contracts, advertisements, terms of service, and similar makes sense. The CRA currently seem to to hold non commercial entities or individuals who are not making claims and explicitly going out of their way to disclaim liability responsible. That does not make sense to me and seems counter productive to the goal of safe software as well as a productive economy.