It's sad but I fight the same battle almost every day regarding safety systems in factory automation. There are specific regulations and best practices that we have to follow in order to determine that a machine is safe for an operator to use, and it falls under the heading of "big E" Engineering, as in the type you need to have a license to certify. We put a lot of effort into making the machine both provably safe, but we also have to make it recover nicely from an abrupt shutdown if someone opens a guard door, etc. Everyone from management, to the engineering staff, to the operators themselves who use the equipment constantly gripe about how much effort we have to put into the safety systems, even when it's their own life that's at risk. Almost every discussion involves someone saying, "why can't we just tell people not to stick their hand in the machine?" The answer, of course, is that the rules are different for a machine that starts and stops automatically, than it would be, e.g., for a table saw or a drill press with an on/off switch. The rules are different precisely because people do stick their hands into machines that are stopped. Engineers are professionals who accept people as they are, not as we wish they could be.
Really we could solve the security problems in "IoT" devices by applying the same strict Engineering principles that we do to safety systems in factory automation. You would do this by functionally separating the part of the system responsible for security from the rest of the system, having certified parts that you can purchase that are rated to various industry best practice security standards, and then having a licensed professional engineer review and sign off on the design. Guess what though... it would cost more money. However, I believe there are certain products, where there's a risk to the public, that should be legislated to require this kind of certification.