Re: "here is no financial incentive for any firm to implement IoT security : "
Problem is, in the modern world advertising and media is not "based on" but instead CONSTITUTES the properties of any product for 99.99% of customers. Some of us happen to be knowledgeable enough to know better, yes. But everybody else hears "extra security for your kids!" on telly and they know this watch makes their kids extra secure (no doubt about that), then they read "your kids peddled to paedos by security watch" in a tabloid and they know their kids are in mortal peril (no doubt about that) whether any of that is actually the case or not.
Which is not to say this stuff is not badly bugged (I'm sure it's plenty insecure) - but rather that most people don't stand much of a chance of making any determination more sophisticated that the above about most things in their lives. Reading up on things takes lots of time (which nobody has, especially regarding every single thing they might actually need to know about every single thing) and it is ultimately severely limited by not having profound expertise and experience in assorted background topics, the way commentards here tend to have a lifetime's worth of about IT.
For instance, I don't believe there is any realistic amount of reading I could ever possibly do to gain a pertinent insight into the intricacies of protein folding - which might potentially be the key piece of information I might lack trying to make an informed decision on some topic related to, say, nutrition or health. We know why end-to-end encryption is fundamentally different than non-end-to-end, what https protects you against and what it does not and so on - the average punter (or mumsnet dweller) does not, never will, and never could. In the absence of a better and more objective source, they have no choice but remain the plaything of corporate ads and sensation-chasing rags...