We already have that. The Common Criteria (ISO 15408) has existed for literal decades at this point and is required for usage in government systems.
Vendors just find it too difficult to certify against attacks at the “script kiddie” level, so they lobbied the government to lower the standards so even the lowest rated systems, ones not even audited for security, are allowed for general usage in critical systems.
The large commercial vendors, such as Apple, Microsoft, or Amazon, have spent billions of dollars and literal decades trying to improve their security and have uniformly failed to certify that they can deploy any system that can protect against small commercial teams unlike actual high security vendors who can produce systems secure against even state actors.
Vendors just find it too difficult to certify against attacks at the “script kiddie” level, so they lobbied the government to lower the standards so even the lowest rated systems, ones not even audited for security, are allowed for general usage in critical systems.
The large commercial vendors, such as Apple, Microsoft, or Amazon, have spent billions of dollars and literal decades trying to improve their security and have uniformly failed to certify that they can deploy any system that can protect against small commercial teams unlike actual high security vendors who can produce systems secure against even state actors.