As someone who works with networking (consumer prosumer enterprise everything) the problem is far more complex than : make it open.

Manufacturers can support devices for long but it costs money which the consumers / businesses aren’t willing to pay or value. Cybersecurity is a joke and the general consensus is : we will pay for things as and when there is a fire. We don’t put a price on prevention because we can’t really show it to shareholders how we profited from not being attacked since we blocked those. So we create an arbitrary certification and pass things according to it. This certification doesn’t say anything about firmware. But if we do get attacked then we can convince the shareholders to spend money on better equipment this financial year and then not bother until the next time we have a problem.

Some of these certifications focus on what the devices allow you to do (like acls and firewalls) and see if they pass these tests. But actually looking at the firmware and finding vulnerabilities is not in scope.