This is in theory a good track to start with. However there is one small hole in the theory. Self reporting by security companies on breaches is very tough to impose. We have seen what self regulation/reporting did for the banking industry. If security companies sidestep accurate self reporting on breaches they have no incentive (in fact they might be motivated to let things slide for economic reasons) to create rock solid security solutions because they know there is an insurance company who will absorb the hit.
However if you had an independent entity that rated the security companies' products that might work. Or the insurance company has a division that rates the security products and provided different rates based on which product a company decides to use.
However if you had an independent entity that rated the security companies' products that might work. Or the insurance company has a division that rates the security products and provided different rates based on which product a company decides to use.