When software is released so full of vulnerabilities and has to be updated so frequently to me it means the makers are being very careless and maybe should be subject to civil liability when their software causes damages. That would probably change things for the better. It is very shoddy software if it has to be updated so often for security.
I disagree with this statement. If you look at what a web browser did 20 years ago, that was...
* decode SGML markup
* maybe parse basic CSS
* limited or no JavaScript support
* limited image file formats
* only HTTP
Now what does a web browser have to do?
* XHTML + HTML 4.0 support + SVG, XSL, JSON and others
* video decoding in multiple formats (YouTube, Netflix, etc.) (WebM encapsulation, codecs AV1, VP9, H264/H265... up to 4K rendered on graphics cards directly)
* multiple types of new file formats, such as WebP, JPEG2000, MNG/APNG...
* support a vastly more complicated HTML and CSS standard
* support complex JavaScript environments including JIT compilation
* support vastly more protocols such as HTTP2.0, HTTPS, multiple new forms of SSL (TLS 3.0), async HTTP requests and so on
There is a much larger attack area. This is necessary to support the modern web. If you do not want these features that is fine, but you would need to disable them or find a very old secure build of Firefox or something that did not have them. This would probably break most of the things you use on the internet.
Many older browsers did have serious security flaws. For instance, IE5.5 had a bug in it which allowed remote code execution via a maliciously crafted PNG image. It took Microsoft ages to patch that. Companies, including Microsoft, are far better now. For instance in shared libraries they cooperate to disclose a fix at the same time to avoid an attacker having the opportunity to exploit one system before others have had a chance to patch it.
The modern way is not to necessary exploit your system to put an annoying virus on it, either. Some exploits can be essentially hidden and be used to exfiltrate data such as passwords or CC data to a server somewhere.
The idea of attaching any civil liability to free open source software is laughable in the courts. If you read the GPL, the "No Warranty" part is very clear, it is literally in all caps. Nonetheless, even commercial software usually excludes liability for losses. Only in B2B services do you tend to find liability put on the supplier, but you can bet that will be baked into the cost of the software and service.