I can't file because I'm not based in the US, but I'd love to see smartphones, tablets and similar devices to be covered as part of IoT in general, as they share the most important of the characteristics - the manufacturer sells a device connected to the Internet.
There are multiple issues that I think need urgent regulatory attention, and the issue classes are valid for both "classic" IoT devices and phones:
1. Manufacturers often do not state anything about support: availability of spare parts, feature updates, security updates. Even those that do, like Google's Pixel lineup, have ridiculously short times, and "enterprise" devices like my Samsung Galaxy Tab Active 3 that's 2.5 years old don't have spare screens available any more. I bought an "enterprise" device in the hope that it would have a better supply chain than consumer devices, but I was mistaken.
2. Many devices with batteries are sold without the ability to easily replace them or without officially sanctioned spare parts, which causes a risk of people running devices with swollen or otherwise damaged batteries, or devices living way shorter than they could be because batteries can and do simply lose capacity.
3. Many devices are completely locked down. This is particularly relevant for SSL root certificates whose expiry leads to devices being bricked, or for people who simply would like to enjoy the freedoms of the GPL and other FOSS licenses but can't because custom firmware can't be installed at all (due to Secure Boot) or permanently bricks features out of DRM concerns (e.g. Samsung Knox, Netflix, banking and many other apps that refuse to run on rooted or otherwise modified devices).
4. Many devices' BSPs (board support packages) are littered with ridiculously old forks of stuff like bootloaders, the Linux kernel or other userland software, and the chip/BSP vendors and manufacturers don't give a fuck about upstreaming their changes or code quality is so bad it cannot be reasonably upstreamed.
Re your point 4 in particular, I feel your pain -- I said "exposed public keys, expired certs" in the OP for a reason. The current item doesn't contemplate a requirement to tie these off as such, but I'd be interested to see if commenters ask for this as part of getting a stronger label.
To add on the "label" point: I don't think labels are enough, not in a world where consumers (private, commercial and governments) primarily look at the price in purchase decisions. At least a base set of legally binding requirements must be established.
ETA: I'd also love to see an exception for small scale / startups. Like < 1000 units sold per model and year. That allows quick iterations while the large offenders still have to comply.
It depends how much the labels shape behavior. I'm envisioning a "high-tier" label that says that risks X, Y and Z have been addressed by M means and that, e.g., addressing risk Z meant sweeping stated databases for known security holes, committing to security-only patches for N years, and hiring J compan(ies) to sweep your firmware within specified parameters -- or whatever other things from the wish list of infosec pros that people like posters in this thread choose to advocate for. Hopefully that would be better than what we have now, which is mainly price/churn-driven minimum viable product.
Re your exception: I don't think mandatory labels are on the horizon in the USA, but this could indeed be a problem under other regulatory regimes.
There are multiple issues that I think need urgent regulatory attention, and the issue classes are valid for both "classic" IoT devices and phones:
1. Manufacturers often do not state anything about support: availability of spare parts, feature updates, security updates. Even those that do, like Google's Pixel lineup, have ridiculously short times, and "enterprise" devices like my Samsung Galaxy Tab Active 3 that's 2.5 years old don't have spare screens available any more. I bought an "enterprise" device in the hope that it would have a better supply chain than consumer devices, but I was mistaken.
2. Many devices with batteries are sold without the ability to easily replace them or without officially sanctioned spare parts, which causes a risk of people running devices with swollen or otherwise damaged batteries, or devices living way shorter than they could be because batteries can and do simply lose capacity.
3. Many devices are completely locked down. This is particularly relevant for SSL root certificates whose expiry leads to devices being bricked, or for people who simply would like to enjoy the freedoms of the GPL and other FOSS licenses but can't because custom firmware can't be installed at all (due to Secure Boot) or permanently bricks features out of DRM concerns (e.g. Samsung Knox, Netflix, banking and many other apps that refuse to run on rooted or otherwise modified devices).
4. Many devices' BSPs (board support packages) are littered with ridiculously old forks of stuff like bootloaders, the Linux kernel or other userland software, and the chip/BSP vendors and manufacturers don't give a fuck about upstreaming their changes or code quality is so bad it cannot be reasonably upstreamed.