You can't secure IoT, there is not enough value in each individual device to implement robust security. To make things worse - consumers don't understand security and don't put any pressure on demand side. The only way I can see the whole mess could be secured is with establishing secure perimeters and access control border devices.
For example, your house has ACME smart thermostat, ACME smart fridge, and ACME remote baby monitor device all connected to the Internet. Since ACME is competing/pressured based on price-point to keep their ShopMart contracts going, they have not spent any time securing their devices. It is 2025 and they are still stuck using badly-broken TLS 1.4! Fortunately for the consumer, home routers market stepped up and developed sophisticated access controls, reputation services, pattern-based communication analysis, and anomaly detection techniques. This way when a script kiddie attempts to exploit your thermostat, the router detects attempt and blocks the access to the IoT device.