Unfortunately, that's several kinds of illegal in the US, Canada and Mexico. I'm not sure what the rules are in Europe anymore, but fairly similar certainly. Since I doubt you want a class in GAAP bookkeeping and anti-trust law, I'll summarize (the following are valid for all of North America):
What you are describing is called an 'incomplete product' and you can't book those as a sale until such time as the products are made whole. An incomplete product is one where features, accessories, upgrades and improvements (anything really) are promised but do not come 'in the box' and are not available at time of purchase*.
There are some exceptions, safety issues for the most part, and software has a few rules of its own.
- Minimum System Requirements: You can promise to make changes that ensure the software 'works' with, or with less than, the published Minimum System Requirements but Minimum System Requirements can't be increased without significant version change (which can be free or you can charge, it's up to you).
- Security Issues: Which can result, directly, in an unauthorized party gaining access to sensitive personal or financial information or newly discovered flaws in government approved encryption schemes that come bundled/embedded in the software.
- Dynamic data/Data streams/Reference Updates: This mostly deals with maps, but also includes things like a streaming data source changing location/name/format after the merger of two financial info companies for example. Also things like a country adopting a different time zone, changes in currencies and their symbols, entire new countries or replacement of old countries, stuff like that you can promise to update.
Below sketches out summaries for the above, but note that if the software publisher promises those updates/upgrades they must also state the duration of the update window (x - years, months, weeks, etc... that window can changed to be open longer, but never shorter (unless really weird stuff occurs like hostile government take over, business or business unit failure/insolvency, mergers and acquisitions in which the publisher keeps their current name, but changes industries entirely; if MS stopped making software, entirely, and started making pastries they could close the service window).
So a vulnerability that lets say, endless popup browser windows, onto your system doesn't qualify, nor would it if a different piece of software exploited a vulnerability in the popup ware to steal financial info as that is indirect.
The broken encryption bit allows you to promise to fix the NSA Compliant encryption, but it does not force you to do so. The software publisher can fix it, or not, or can disable/remove the broken encryption entirely from the software and has to obligation to offer a substitute (to my knowledge, no major software publisher has ever taken that last step and removed embedded encryption without offering an alternative, but they can do so if the original scheme was government approved and the implementation was properly executed).
Note; with the exception of the dynamic data part, the future improvements/fixes are also those that all North American governments require the publisher to make. The publishers have to do those things anyway, whether they promise to or not. If they do promise those things they are only saying they will obey the law.
With those exceptions in mind, a software publisher cannot offer upgrades, improvements, changes, modifications, non critical security updates (see above), appearance changes not related to Intellectual Property court rulings, anything. The publisher cannot offer/promise anything outside the three categories above in a purchase vehicle which transfers ownership, assigns a licensee or assigns responsibilities to another party and book the product as a sale until all the promises have been satisfied. You can't even book them as 'good faith' sales like you can when a customer provides a letter of intent or (varying by industry) a majority 51%+ downpayment or assets in escrow. Incomplete product sales are permanent holes in your books until all promises are satisfied.
If you never satisfy all of them then you could be selling $500 billion of those products annually and show $0 revenue. None. Zero. 40,000 employees working away and not one penny can be booked until you meet your promises. That will put anybody out of business in a few months.
Occasionally, a company will do an incomplete product campaign if they have suffecient resources to stay operational during the fulfillment period, and want to 'stock up/save' revenue for a year or two to offset huge future expenses they know are coming (variable loans, fees, penalties, taxes, liability suits, etc) but that's rare. In those cases that money is addressed in non GAAP non-regulatory announcements, but not on the official books or executive statements.
Physical products (computer hardware, cars, adult novelties, everything) have the same, mostly safety related rules.
What was that bit about 'purchase vehicles that transfer ownership or assign a licensee? THIS IS IMPORTANT That means that if you offer access to a product through a recurring subscription mechanism you can promise whatever you like (that's legal) and as long as you don't put a date on it and can prove you were actively working on delivering that feature(s) you don't have to actually deliver on those promises.
Now, some of that last sentence certainly goes on, but that's extreme. The norm is to provide what you promised, even if it doesn't meet everyone's expectations. But the big deal is that 'Cloud' offerings can be marketed as something they haven't yet become (plus you can show revenue out to the longest subscription period you offer) and book the sale now. That's a HUGE thing. The future is always brighter on the other side of the hill with the greener grass... But until very recently there weren't many products that weren't consumables and were actually possible to upgrade.
I realize that it sucks to buy something then find it's out of date six months later (I'm guessing you aren't old enough to remember when everything IT was made obsolete before you got the bands off the pallets) but the consumer protections afforded by the 'incomplete product' regulations are much more important. If exceptions and caveats are made for this or that then hundreds of millions of people will be losing protections they don't even know they have and really have a positive effect on the value of their dollar.
I've spent plenty of time in those corner offices working with others to (legally) skirt those protections, and I'm a nice guy with some compassion and value more than just money, that isn't the norm. If you undercut those protections, just the smallest amount there are millions of greedy men on the other side of that wall who will screw you into the grave. The incomplete product regulations are surprisingly well thought out, and fairly impossible to bypass. You don't want that screwed up.
* It's called many things, but I always liked calling it the Ant Farm Exemption. Some products require either an additional part ('thing') to function as designed, or some kind of post use processing (film for example). Generally, varying laws from place to place mean the 'thing' can't be sold in the box, or the film processing lab won't fit in the box. In those cases, a certificate, or some validation mechanism entitles you to the required thing. Ants for your ant farm lets say. All species of ant can't be shipped to all locations so upon buying the ant farm you send in your certificate (postage pre paid) and a person with the shittiest pack & ship job in the world send you ants appropriate for your location. That's cool. BUT, if the ant farm was purchased in a state that allowed the farm to be sold, but ants can't be imported to your county, city, whatever where you live the ant farm people or retailer (varies by state) had to refund your purchase cost and any (reasonable) costs associated with breaking a child's heart plus a percentage of the initial cost (varies by region). That's actually a useful law. Same with some film processing (especially post WWII many types of film couldn't be returned to you if you lived in not the US or UK) and provisions were made for that (worked well) and now it's true for home drug tests, paternity test, semen detection/infidelity detection (somebody should package all those things together!) and such.
Anyway, your idea isn't 'bad' it's just that there's a lot of law and regulation protecting you, and most consumers never even know it. But corporate execs know it, that's actually what they're usually talking about when they're zooming around all over the place. Even though consumer tech and software are valuable industries, they are still usually classified as 'entertainment and leisure' products. It's a bit shortsighted to have what are effectively, toys, screw with the protections that make sure all the keys are included with your keyboard and hydraulic brakes for your car aren't 'scheduled upgrades'...