There are a few things to keep in mind here. Firstly, there is the question of whether or not people even understand the possibility that they are causing problems ( point in case - smurf. The fix was available years ago, but the list of unpatched systems is huge ).
Applying the law in this manner is only going to be workable if people are informed. How many system administrators check CERT / Bugtraq / Rootshell / [Insert your favorite advisory site here] on even a weekly basis?
Recently, I was going through my articles data-base and one of the ones that I spotted was from late 1998. A group of people carried out their own Internet audit ( it was posted at the time at "the other site" ), and it made for interesting reading.
Out of several tens of millions of *nix systems ( they didn't bother to run a security scan on anything running Windows ;), they found 420,000+ systems with one or more of a list of 18 well known vulnerabilities.
Since re-reading that article, it seems to me that there is a need for some kind of public organisation to be set up to not only periodically run scans of this type but to automatically forward an email to the system administrator.
If something like this existed, then you might be able to make a case that anyone who ignored such an email alert *was* guilty of ciminal negligence. Until then, I don't think that what's being suggested here would really stand up in most courts ( regardless of the country ).
P.S : last night, I realised why I hate the RIAA even though I don't download mp3's of the Internet. I looked at my CD collection and realised that I have payed the licensing fee for my music *twice*. I payed it once when I bought the vinyl lp and I paid it a second time when I bought the CD because I couldn't get lp player parts any more ( mutter, mutter, grumble, grumble ).
You might be strangling my chicken, but you don't want to know what I'm doing to your hampster.