I made this comment on a similar topic and it applies here... very much so here:
Two things are obviously needed and therein will be a whole new set of problems...
1) The company producing IoT must be willing to sacrifice some profit for updates and maintenance of the software. We as IT know this, but most of the companies doing this don't care except for the bottom line. They should also be providing information to the user to secure these devices once installed.
2) User education. This is the toughest as education on the simplest things is rapidly disappearing in the US, maybe elsewhere. The users/customers should ask questions.... like "how often for software updates and fixes?", "What do I need to do to keep these things updated and secure?". But given that most people will buy the shiny and not give a thought to upkeep.... meh....
Until number 2) happens and forces the issue, number 1) won't ever happen.