The same goes for my thermostat. And my lights. And my stove. And my freezer. If you're not taking security seriously, I'm not taking your fscking product seriously.
The entire industrial control world is completely indifferent to security. Things like HMI applications may implement user-level restrictions, but ultimately the hardware they interface with is usually just open access over OPC or HTML. This works in general when you're on an isolated industrial network, of course these networks are typically not completely isolated, allowing remote access for maintenance and support. Even when completely isolated, you still have the issue of operators connecting infected hardware to the network, as seen with stuxnet.
The problem with IoT is that the same embedded and controls engineers are just applying the same methodology to this as industrial applications, and assuming someone upstream will handle the security issue. Security is a double edged sword. While it's necessary at some level, it's going to add considerable overhead and latency, and is all but unusable if you intend to do real time control. The isolated, open network is the only sensible approach. Now IoT parts could completely embrace the industrial methodology, and while the typical controls engineer might think nothing of running ethernet or RS-485 drops throughout their home with a central secured gateway for access, the typical consumer user is enamored will all things wireless. On the other hand IoT parts are not doing any form of real time control over their remote interfaces, so there's no reason for them to be externally behaving like industrial hardware, and programmers stuck in that mindset should not be left in charge of building those interfaces.