I'm beyond the point of sympathy for people who buy this shit.
You have rather high expectations of the average consumer. They see, say, an IoT light bulb. The box says they can control it with their smartphone, and that it's "secure". Just like their car claims to be safe, that the milk they drink says its safe, like the anti-tamper seals on bottles are supposed to be secure.
People can't be experts on everything. They probably had to have their ISP set up their router or them, and have no idea that they even have a home network. It's not their fault, it's our fault. We need to make products that are secure by default and that are easy to understand and use. None of this "just configure your firewall" or "enable WPA2 with a cryptographically strong password".
Honeywell should not be making insecure devices like this. They should stop, recall them all and wait until they have a secure by default product to sell. Strong regulation and massive fines for enforcement. Mandatory recalls of insecure products.