Everything about the IoT is a bad idea, especially when it comes to security on old devices. Now there's a consortium to open-source some of the code? Even better--for those who want to cause harm.
Right now, most household appliances (refrigerators, stoves, thermostats, home automation, home security, etc.) are devices that are closed off. So, even though my stove may have a security hole, I might not be able to exploit it without using a JTAG. Ultimately, there's no easy way to exploit them unless you have physical access to the internals of the appliance. But the IoT changes that--and not for the better. To add, many of the devices you'd want to connect to the IoT have lifespans of decades. So, unless we get government action saying that "if you want to make an IoT device, you have to provide security support for 20+ years", we'll end up with pwned thermostats that we can't change, the fridge that now sends spam & doesn't have enough available processing power to turn on the compressor, or that my TV now shows popup ads for hookers, offshore pharmacies selling Viagra, and other ads in front of the kids & I can't shut it off. And all the better when the pwned IoT fridge wants to talk to my non-pwned IoT Smart TV. On top of that, it won't help that the Linux kernel (or Apache, PHP, MySQL, drivers, etc.) it's running on is 20 years old & nobody--except malware authors--has looked at that version for over a decade...
What an obvious clusterfuck waiting to happen... I'm just waiting for a group of early Smart TVs to get bricked because some malware does something to them--and the manufacturer says "not our problem--it's old!" Then people might realize what a Pandora's Box this is...