> I didn't state it should be the only mechanism. There could be others. Those class action lawsuits mentioned in the article prove there are some. But the primary mechanism is users' responsible choice.

That's simply not realistic on technical issues. Users can't take responsibility for choices they can't be reasonably expected to understand.

> Actually I think the blame is on us, techies. We should create a culture where security matters as much as performance, pleasant design or simple UI. Both among users we live with and companies we work in

If you believe that, in your own words, user's responsible choice should be the primary mechanism of enforcement of this, you've rejected any effective means of achieving the above trite and obvious truisms.

In fact, security should matter to us a lot more than performance, pleasant design, or simple UI, because unlike those, security can be a matter of life and death. Which is why I don't want to leave it up to users.

> And one fundamental problem of security for the masses is not solved yet: how a user can see if a product they use is secure without being a security expert.

Which begs the question why you want to leave security regulation up to users moving away from the product.