First of all, most of the software companies do SaaS, meaning they also provide the service. And then, even if they don't, the users will just hand down the paperwork to the companies developing the software. Because those know what was put in, security and components, and want to have this in legal writing.
Secondly, imagine your average IoT seller. They should not be liable for their bad product because they don't run it themselves? "The user" is liable? In most cases the "user" can't even do anything about their insecure device.
I think developers are rightly responsible here. It's pretty comparable to other industries where the products have to be safe when getting sold, think pharma, food, toys, cars, etcpp.
> Will it actually improve security? I don't think so.
Think B2C. It will improve things there, and massively so. Software in B2B was already somewhat regulated via audits and certifications.