Just opensource the firmware and redirect the update url.
That doesn't set a good precedent though. The community shouldn't be expected to carry every IoT device.
Maybe not, but it'd be nice to have the option. Wouldn't it?
If you as a user want third-party firmware usually you can jailbreak and install it yourself (especially if the original firmware has zero security). If we allow a vendor to choose to make "the community" responsible for their firmware, almost every vendor will choose that as quickly as possible (e.g. one year).
That's why in sane countries there is jurisdiction to deal with that.
If you leave capitalism unchecked it will fuck you as hard as any other system.
This assumes that vendors have IP rights to open source the firmware, which seems unlikely. Presumably there are third party commercial components they don't have rights to publish.
A rule like this essentially forbids closed source software. (Which, hey, might be a good thing... but then just mandate that directly and outlaw closed source software licensing.)