And just who is going to bring the aforesaid open model upon this class of gear? So it's +1 for spooks.
Yes and no. Across the security parts of that government with which I am familiar, the issues of which you are speaking are deeply troubling -- they buy computers, too. There is, indeed, the strong mandate to use commercial off the self (COTS) goods rather than government-only goods which, on balance, is a Very Good Thing as perversion of the supply chain is thereby a common enemy. That all significant private firms are transnational is likewise a Very Good Thing (at least in this context). Naturally, I have no access to whether the precise discussion taking place in English here on these two lists is simultaneously taking place in and around Beijing, Brussels, London, Moscow, and Tokyo, but I would be surprised if it is not. Put differently, all airlines share a joint interest in air safety and none advertise that "our planes fall out of the sky less often than theirs." Because airplane crashes are not concealable, they are studied and thus learned from. Perhaps the policy you might want to consider is mandated disclosure of computer failures whether from attacks or from clumsiness. Public health trumps medical privacy should you turn up at hospital with smallpox or the plague. Peter Neumann's long-running RISKS digest is a small mockup of what might well be a global need. As with airlines and the (US) National Transportation Safety Board, learning from events is about all you can do once collective complexity is above that level where further refinements of design are, at best, episodic. --dan