We already know what the failures are. We already know what the solutions are. We know it because people have been born and died in the span of time we have been dealing with these same problems. There is no need to assemble guidelines (that no company would follow anyway without being forced to).
> Software engineers can't even agree on best practices as is.
I'm not talking about "best practice"; I'm talking about, before you ship a build to customers, you must at least run it once to look for errors. This is kid stuff, yet the companies don't do it, and subsequently half the flights in the USA are delayed for weeks. There is no need to argue about this, there is no question that there are basic practices that should be considered malpractice not to do. We must make this law or they will continue to disregard these basic practices and we will continue to suffer for it.
> Software has a tendency to evolve and need maintenance or add features after
That is a flaw in business practice, it has nothing to do with software itself. I can run a suite of Perl programs today that I wrote 20 years ago, and they run flawlessly. No need for maintenance, it just works. The reason is, we just happened to treat this one language as something that should not break, and should last a long time. No reason we couldn't treat other software the same way. The fact that other software doesn't is a choice by a lazy industry and uncaring business models, and this choice needs to be challenged, the way every industry has had to be challenged by codes (the reason codes exist is industry cannot be trusted to "do the right thing", they need to be forced).
But despite this, codes change all the time. The electrical code changes as solar progresses. Building codes change as we learn new things or new materials are introduced. The codes do change slowly, precisely so the work is well thought-out, coordinated, and safe, which nobody can say about modern software. The time for move fast and break things needs to end.
I don't think it's a flaw and throwing this away isn't worth a quarter of the hassle that comes with any enforcment implementation I can conceive of. Please think about what testing, safety, security is "enough", how you test it, and if it's worth the tradeoffs.
Who is at fault for code violations? The scope of software is generally too big that prearchitected designs don't work and you must assign life safety faults to a PE. Software doesn't work like that, it's not singularly done. You shouldn't need to file a permit for expansion to add a feature or plug a security hole.
You point to solar, but solar is less complicated than the things most of this website would deride as simple in software. The electrical codes. It has hardly changed at all since it's inception, and only inspired a handful (<12) of changes since the 2008 NEC. Most jurisdictions only update every 2 cycles or so, so we're talking 3 updates.
Move fast and break things is fine when it's okay to break things; software is fundamentally different than physical infrastructure and you paint with really broad strokes here when you just assert "need" and "right".
I work with building code every day and I fundamentally disagree that writing a "critical software code" would be net beneficial.