If you want to tug on heartstrings with the "what about medical devices" argument, it's probably just as likely that a mirai botnet will impact a life support or public safety network than that brickerbot will.

Allowing a medical device that can kill or harm someone to be connected to the internet would be a dramatic failure of both the company that produced it and the government. Monitoring is one thing but it better be a one way street or air gapped. No one should be able to do anything to a medical device over the internet besides read information. Or even over a LAN. Even if it is much less convenient or practical.

One could make that argument in a hospital environment, but eventually patients go home. While they're at home, some telemedicine might save their lives. Should we expect e.g. pacemaker patients to know how to set up a VPN? Or maybe you're just saying that pacemakers must be controlled through direct contact only... that's on the device designers then, not on local network admins.

Yes, it should be direct contact. Even short range wireless would make me nervous without guarantees that it was just one way monitoring. I wouldn't blame network administrators for the safety of a device that should have never been on it in the first place.

Tell the family that the device was defective, and the manufacturer is entirely to blame. It's the simple truth, no need to try to blame the deceased.