That is... tough. Do you want to know what you can do for yourself, or what society can do to fix the problem?
If you are considering for yourself, then there is the short term and long term view.
The short term view is that the cost of compromise is still low. As I said in a sibling comment, the cyberattack industry is still going through growing pains, so from a practical perspective, if you chart out the rate of cyberattack growth, you still have maybe 5-10 more years of coasting before things become a existential-threat sort of problem if you are running a big business. For instance, MGM made 14 G$ in revenue last year, 100 M$ is a pain, but not life threatening. With 5 more years of sophistication they can probably make that 1-3 G$ and then you are in for a real world of pain.
The long term view is to assume that every element of your system that is network connected is easily hacked. Then you need to redesign your system and processes around that assumption. All of the conveniences of network connectivity are going to be liabilities. With careful thought you can probably reorganize your systems around this assumption for a relatively modest impact to operations. This will not protect you per se, but it will make your business processes more robust. The usual thing you lose by minimizing system connectivity is that latency gets worse, but you can usually mitigate this with more batch processing. Your turnaround time gets worse, but your bandwidth stays the same. There are costs to redesigning your business processes like this, but they are a lot less than the hecklers claim since you will not use the exact same processes that assume low latency always-connected systems, you will change your processes to better suit the new normal. Unfortunately, I can not give you much more than a high level view here because it is very business specific.
If you are considering society, then the core problem is that the incentive structure is all messed up. Software deployment has no requirements on fitness for purpose and software companies can basically just lie about software security with total impunity are just two of the obvious problems.
Unlike basically every other industry, where your product has to nominally work, software basically has no expectation or requirement of working no matter the use case. You can use whatever crappy software you find to run a nuclear power plant and nobody bats a eye. That is ridiculous. Deploying software that is unfit for a use case should not be allowed. However, the definition of fitness depends on the use case and the criticality, no one size fits all set of requirements works. This is like how we have different standards for toys and bridges. This is how literally every other industry works. The EU Cyber Resilience Act supposedly has some of this, but I have not read it directly to comment on the specific implementation they did.
The other problem is that software companies are allowed to basically just lie about software security. Have you ever heard any company say anything other than "our product is secure" or "we have the most secure {X}"? These are meaningless terms. I propose that if you want to advertise security, you can say a dollar amount "our bank is secure against 15 M$ attacks", but then you need to put up a bug bounty for that amount. You want to lie and say 1 G$ when you know it is 10 M$, go ahead, you are going to lose your shirt. Also, to handle the consumer product angle you could divide the number by the number of devices or some fraction thereof. Yeah, 10 M$ might sound like a lot to a regular person, but if they can hack all 1 M of the units then they only need to get 10 $ per unit to make it worthwhile, so you really only have 10 $ of marginal security for your device.
I did not really directly answer your question though. If you really need to increase your security to the required level, then there is not much you can do. There is nothing currently available on the market that can do that and none of the current vendors is able to solve the problem. Basically anybody using the same old tired cybersecurity pitches is just selling you junk and anybody with a new spin on it is also probably junk. If you want real verification demand robust auditable test suites, unrestricted red team tests, formal specifications, and proofs of correctness. Those are basically impossible to fake and none of the clowns will be able to provide a semblance of those. Unfortunately, basically everybody is a clown, so all that will really happen is that you will find that there are no viable vendors.
Sorry I can not be of much help. The industry is a wasteland right now; we need to nurture solutions before we can use them.
If you are considering for yourself, then there is the short term and long term view.
The short term view is that the cost of compromise is still low. As I said in a sibling comment, the cyberattack industry is still going through growing pains, so from a practical perspective, if you chart out the rate of cyberattack growth, you still have maybe 5-10 more years of coasting before things become a existential-threat sort of problem if you are running a big business. For instance, MGM made 14 G$ in revenue last year, 100 M$ is a pain, but not life threatening. With 5 more years of sophistication they can probably make that 1-3 G$ and then you are in for a real world of pain.
The long term view is to assume that every element of your system that is network connected is easily hacked. Then you need to redesign your system and processes around that assumption. All of the conveniences of network connectivity are going to be liabilities. With careful thought you can probably reorganize your systems around this assumption for a relatively modest impact to operations. This will not protect you per se, but it will make your business processes more robust. The usual thing you lose by minimizing system connectivity is that latency gets worse, but you can usually mitigate this with more batch processing. Your turnaround time gets worse, but your bandwidth stays the same. There are costs to redesigning your business processes like this, but they are a lot less than the hecklers claim since you will not use the exact same processes that assume low latency always-connected systems, you will change your processes to better suit the new normal. Unfortunately, I can not give you much more than a high level view here because it is very business specific.
If you are considering society, then the core problem is that the incentive structure is all messed up. Software deployment has no requirements on fitness for purpose and software companies can basically just lie about software security with total impunity are just two of the obvious problems.
Unlike basically every other industry, where your product has to nominally work, software basically has no expectation or requirement of working no matter the use case. You can use whatever crappy software you find to run a nuclear power plant and nobody bats a eye. That is ridiculous. Deploying software that is unfit for a use case should not be allowed. However, the definition of fitness depends on the use case and the criticality, no one size fits all set of requirements works. This is like how we have different standards for toys and bridges. This is how literally every other industry works. The EU Cyber Resilience Act supposedly has some of this, but I have not read it directly to comment on the specific implementation they did.
The other problem is that software companies are allowed to basically just lie about software security. Have you ever heard any company say anything other than "our product is secure" or "we have the most secure {X}"? These are meaningless terms. I propose that if you want to advertise security, you can say a dollar amount "our bank is secure against 15 M$ attacks", but then you need to put up a bug bounty for that amount. You want to lie and say 1 G$ when you know it is 10 M$, go ahead, you are going to lose your shirt. Also, to handle the consumer product angle you could divide the number by the number of devices or some fraction thereof. Yeah, 10 M$ might sound like a lot to a regular person, but if they can hack all 1 M of the units then they only need to get 10 $ per unit to make it worthwhile, so you really only have 10 $ of marginal security for your device.
I did not really directly answer your question though. If you really need to increase your security to the required level, then there is not much you can do. There is nothing currently available on the market that can do that and none of the current vendors is able to solve the problem. Basically anybody using the same old tired cybersecurity pitches is just selling you junk and anybody with a new spin on it is also probably junk. If you want real verification demand robust auditable test suites, unrestricted red team tests, formal specifications, and proofs of correctness. Those are basically impossible to fake and none of the clowns will be able to provide a semblance of those. Unfortunately, basically everybody is a clown, so all that will really happen is that you will find that there are no viable vendors.
Sorry I can not be of much help. The industry is a wasteland right now; we need to nurture solutions before we can use them.