"Appropriate regulation" doesn't necessarily mean designing the protocols used. It can mean things like governments taking responsibility to ensure that companies meet certain minimum levels of security and accountability, just like they do with things like say automobiles or water heaters.
You can't prevent all mistakes from happening, and you can't even prevent all malicious or dishonest action. You can however ensure that the bad actors face the consequences and don't hide behind "terms of service agreements" and an army of lawyers.
If Facebook loses your cat pictures, well quite frankly I don't care because Facebook really doesn't matter. If however my thermostat and every thermostat in the country doesn't work unless it was connected to a server in bongo-bongo land (or California - same things really) and they shut down and now my house freezes while I stand in line behind 10 million other people waiting for a replacement, then I'm going to care a lot. People should be able to buy critical stuff and know that it is safe to use without having to analyse the technology behind it.