It occurs to me that part of the problem with the IoT device security probably comes from the fact that these devices are being made, mostly, by the same companies that have been making the non-IoT devices of the same function. Their software developers have been used to making either black box controllers (where security isn't an issue because the simply have no attack surface) or they were making things that connected to a sealed and totally controlled industrial control network (where security isn't an issue because there should be no attackers). (Yes, the majority of attacks on computer networks have, historically, been inside attacks. That's because of the vagaries of humans, not because a sealed control network should be built differently than the way they are. If you're building a sealed control network, you're supposed to be able to trust your humans.)
Plunk these people down in an environment where you're trying to build something that exposes the control interface to the Internet by design, and you've got a problem.