I believe this comes closest to the proper answer. Eventually, we need technology literate courts, and a law that criminalizes failure to fix disclosed vulnerabilities. Until that day, the process you describe best achieves the same result.
I agree, and -- generally speaking -- OEMs take FDA compliance for Class III medical devices very seriously. If there is a regulation violation that could put patients at risk, the FDA would not hesitate to shut down production and force a fix, whether it's hardware or software.
(Speaking from the perspective of an IT guy at an electronics manufacturing company who is well versed in CFR 11 and medical validation.)
