The problem isn't IoT by itself
...at least when it comes to security. The problem is the companies who implement IoT, the people working there, as well as the most stupid customers.
Imagine customers were moderately smart. You could simple offer an ssh-based interface to your device. The password would be printed on the serial number label or a throw away password would be displayed on the display. You'd log in and set the password you'd want to have. That's rather secure I mean that's how something like 99% of all servers on the Internet are controlled.
However you couldn't easily access it from outside... of course the solution is simple, a VPN or port forwarding, or just ssh-ing into your server and going into your fridge from there. Since it's all command line based and/or has a nice ncurses interface, it's all easy to integrate and secure.
However devices are not designed for people who know what they are doing, and they need to be cheap. Therefore you may not have a display and buttons to enter, for example, a WPA key. And of course since people don't use ssh, there needs to be an "app". And since app development is where the current bottom of the barrel developers seem to gather, that means you'll have some sort of insecure app. If you are lucky, those talk via TLS, if you are less lucky they talk via some home grown encryption system which uses standard cyphers... in a typical course you don't get crypto at all.
Ohh and of course people will want to use the functionality from outside, but they don't know how to set up a VPN... well let's write a web service... which of course then is written by a group of people also known to regularly come from the bottom of the barrel, Java web developers.