So. The FTC is suing D-Link for crappy security on their devices contributing to the Great Internet-of-Shit DDoS Wars of 2016. And predictably enough, D-Link's response is that the FTC "fails to allege, as it must, that actual consumers suffered or are likely to suffer actual substantial injuries". Which is true, if you are talking about the D-Link consumers. Having a botnet root your router or camera, and use it as part of a DDoS attack on other people, doesn't harm you as a D-Link customer. It only harms the poor buggers that are the target of the attack.
Which is why this is such a tough problem. Neither the customers nor the vendors have any incentive to fix these problems, as it doesn't hurt them (hell, the D-Link owners don't even notice it's happening) and they get no direct benefit from the additional cost of better security.
I'm wondering if there is some kind of existing ("real world") law that coverers negligence causing harm to the community? Like, I dunno, letting your yard get overgrown and attracting rodents.