No, the enemy is the idiot who wrote the specs
If you look at the "standard" specs for IoT protocols, such as ONVIF they cannot be implemented on a small system with minimal attack surface. The spec requires a fully blown SOAP implementation, RTSP implementation, HTTP implementation and god knows what else. The Internet facing attack surface is gigantic by design.
This is just the standard - before we add all the backdoors for illegal (as they violate the DPA) luser friendly applications which report all of the activities in your house to a server in Shenzen so that a similarly insecure android app works in order for the customer to spy on his household.
This "insecure by design" spec + extra "market requirements" is then given to be implemented by "Joe Embedded Developer" who never had to write any secure code in his entire career.
The results are as expected and should be fixed at the root. Just take all authors of the ONVIF spec and march them off the plank somewhere in the middle of the China Sea. The local flora and fauna will do the rest (*).
(*) There is no need to march the marketing which spec-ed the android app reporting you to a server in Shenzen. That can and should be dealt with by enforcing import laws. Any piece of kit running this software is illegal and should be diverted straight to recycling at customs.