He sees the only solution as being regulation. Ugh.
I say "ugh" because a lot of what he says is hard to dispute. Bad security is an externality. The market won't address the problem. Manufacturers don't care, because customers don't care, and that won't change.
When I think that Schneier goes wrong is in thinking that a new government regulatory agency will be staffed by Internet Security technocrats like him. If it were, I might be able to get behind his idea. But the Iron Law of Bureaucracy says that those technocrats won't run things, and the agency will soon look like all the other agencies: mostly incompetent, mostly ineffective in addressing the problem, captured by the industries it attempts to regulate, and which imposes very high costs on everyone while stifling new innovation.
And US only - the global market is huge, and there's nothing to ensure that these "better security" regulations apply to, say, China. In a sense, Schneier's proposal is a lot like the CO2 emission controls that have been proposed - they only apply to a small portion of the world, and externalities from other countries remain a huge problem, like smog from Chinese industry that drifts to the US west coast.
My take is that the problem is intractable this way. A different approach is to make attack traceability easier, and hold manufacturers liable for damages. Remove the externality via liability legislation.
Schneider still hopes that the problem is solvable:
We can't. The FBI won't stop trying to get crypto backdoors and the NSA won't stop collecting everyone's metadata. See the Iron Law for why. And so adding a new Three Letter Agency to try to solve the problem will not lead to a solution. It won't address the problem of trust, it will almost certainly make the problem worse.