Known vulnerabilities
This is actually the problem with the bill: when can you stop patching, and ship the product? And let's say that the vulnerability is in some pretty knackered spot, just before release. What then?
The i.MX7 processor has a certificate vulnerability in its ROM. This means that no product with that part may be shipped under this bill. Whole product lines would have to be scrapped. Way too costly. But what can you, as an OEM, do?