He didn't say "insurance monopolies."

Presumably it could work the way auto insurance works, where you'd be required to carry insurance but you'd have your pick of who supplies it. (Unless I misunderstood and you're opposed to requiring insurance for anything.)

The issue here is that insurance doesn't actually solve the problem. Auto insurance doesn't get people to drive better, because a car accident can kill you, which means that all the people driving like idiots are doing it because they already don't think they're going to get into a collision. And you'll notice that they all still drive like idiots even with insurance, possibly more so because of the moral hazard.

All auto insurance really does is make it so that when some idiot with no money hits you with their car, there will be somebody to pay for the damages.

The problem with doing this for computer security is that if you don't put the liability on the company then there is nothing for the insurance to cover, but if you did then it would bankrupt the insurance company.

Imagine one of the vendor's clients is a pharmaceutical company and the attackers get access to their pre-publication research files. That could be ten billion dollars in damages. For one client. Imagine five of the clients are pharmaceutical companies. The other clients could be financial institutions, cloud providers (who would in turn have their own affected clients), movie studios (and now all of the next year's movies are on The Pirate Bay prior to release), etc. All at the same time, for a single security incident.

And how do you put a price on the sort of national security threat it poses when foreign governments gain access to US government systems? Who do you even compensate for that?

This isn't the sort of problem insurance can fix.

Maybe what we need is something like publicly-funded security audits of popular software.

It's safe to have a fire on a windy day in the forest, as long as you're careful and don't let it burn too hot...