Patches in small hardware are Not At All A Good Thing. Like, at all.
- there's always a chance you brick the device on an update, and for Average Joe that's the end of the road. Exceedingly annoying if the dead device happens to be a lightbulb, even more so if it was ALL your lightbulbs. Yes, un-brickable bootloaders are feasible, but also exceedingly rare and hellishly hard to do properly in severely UI-constrained hardware (like a lightbulb).
- there's always a chance some more powerful computing device in your home (could easily be your phone or better yet your router) is already infected with something capable to identify and download appropriate malwarified firmware for your lightbulbs. Devices that can implement https and actually check they're really connecting to who they think do actually exist (barely just recently, in things like the ESP8266 chip, and poorly even there) but not every tiny chip is capable of doing that at all. You could of course also just simply sign firmware updates - right until your global key leaks / gets extracted / defeated etc.
- there's always a chance the absolute certainty that sooner rather than later one of the updates will alter or remove a feature or behavior that was the absolute cornerstone of your use case (or just breaks compatibility with something you need to keep using) - the only question more common than "how do I upgrade the firmware in <whatever>" is "how do I DOWNGRADE the firmware in <whatever>" and chances are the device (or the software that accompanies it) will actively try to prevent you doing that or even just avoiding the update...
- there's always a chance you'll end up in the nut-house trying to figure out why your Unambiguously Identified "Product X" just isn't willing at all to do / inter-operate with what is commonly known as something the Well Known "Product X" is quite capable of doing / inter-operating with, unless you're lucky enough to figure out you simply happen to have the "wrong" version of firmware and somehow everybody neglected to tell you that this is an Actual Thing with what is a stupid-simple, supposedly plug-and-play device (happened to me only yesterday, and I was getting close to reaching for an axe...).