I believe in the KISS principle. Even though people say that a hacker with the 0-days to go after IoT devices won't go after individual users... I will agree there. Individually, they won't bother with people. However, their script that walks the Internet and seizes control of devices, is what would be done, with that info being sold to another party, just like credit card dumps. In fact, a list of vulnerable/cracked devices a person owns might even be in the same database tuple as their name, social security number, and other item sold on the black market.
There are some things I don't need. I can look at the date of items in my fridge and tell they are going to expire. I don't need to have a fancy infrastructure in place so that some company can sell me milk in the next round of banner ads. I can look near the commode and tell how many rolls of TP that I have, and don't need to upload that info somewhere. I don't need a toilet which checks sugar levels, but quietly uploads that to health insurance companies so they have an excuse to raise premiums. If I'm worried about sugar levels, I can always get a meter and a roll of test strips and do the job right.
We do not need an IoT. We are being sold this shit because "market expansion" balloons stock prices even though it may or may not make revenue.
IoT devices will be engineered to be as cheap to produce as possible. They will be coming out of the cheapest factory in China, and engineered to barely work. At best, they will barely pass UL standards, if they don't just come with a fake UL tag in the first place. It will be a given that there will be little thought to security [1], and the only way to fix them will be replacing them with devices that are even buggier and more expensive.
If we want monitoring, the parent had one way to do it "right". I'd prefer a wired bus that is engineered the reverse of early USB. Devices can send info, but the top node that gets the info cannot initiate or send data... just send an ack that it got received. Even with this, there are still ways to hack it, so the ideal is no system at all.
Because it be connected to the Internet, doesn't mean it should. Take the Internet connected deadbolt. We don't need junk like that. Instead, the time it takes to engineer that should have been spent making a better locking mechanism/door/jamb system to help against actual threats like lock bumping and kick-ins.
[1]: I've heard "security has no ROI" many a time, coupled by "Infosys/Geek Squad can fix anything if we get hacked", when I ask the followup question about contingency plans.