It might work eventually, but there is now a long history of people getting their key. There are also a large number of these “businesses” in existence, so you might successfully intercept some of these, but not all. Mixed results would further delay any impact.
A legitimate security company can’t propose this. It shifts them too much into black hat territory. Their only public recourse is to keep pushing users to maintain current backups and be prepared to wipe their systems. Users also need to become (and then stay) current on best practices for computer security. Most don’t.
A government could theoretically put some resources against this, but what they really need to do is go after the businesses. This either means playing whack-a-mole as they pop up and move around, or getting real cooperation from countries that harbor these guys. I am not holding my breath.
The real fun starts, IMO, when the IoT exploits pick up. Want to open your garage door or unlock your house or use your TV? Money, money, money.