I'm both a network engineer for an isp and a designer of iot devices. A lot of this vulnerability is easily avoidable by being willing to invest in purpose built firmware and devices.
By this I mean your typical rushed to market iot device is made by tacking specialized functionality onto a general purpose gizmo with a complete ip stack or even a complete functioning operating system. This saves a ton of design time and avoids obvious bugs. But it comes at the price of making these devices hackable.
As an example you can use a raspberry pi to make a thermostat with its own webpage that is WiFi integrated in about 30 minutes but in so doing you inherit all sorts of vulnerable stuff you don't need.
You could instead make that thermostat connect via encrypted x25 to a central hub which serves the webpage and have only one point of vulnerability that is more easily secured and patched.
Anyway the point is most of these problems would be avoided by going backwards -- i.e. not being afraid to invest time and money in purpose built devices designed from scratch.
But time is money and expertise is expensive so ... Let's just have the world hijacked by our toasters so we can meet a quarterly earnings projection. Tomorrow doesn't matter. I want my money today. Lol