New technology market deployments go in stages, including the following:
1) The underlying technology becomes available and financially viable. The window opens.
2) An explosion of companies introduce competing products and try to capture market share. They are in a race to jump through the window.
3) There is a shakeout: A handful become the dominant producers and the rest die off or move on to other things. The window has closed.
We've seen this over and over. (Two examples from a few decades back were the explosions of Unix boxes and PC graphics accelerator chips)
IoT applications recently passed stage 1), with the introduction of $1-ish priced, ultra-low-power (batteries last for years), systems-on-a-chip (computer, radio peripheral, miscellaneous sensor and other device interfaces) from TI, Nordic, Dialog, and others. It's in stage 2) now.
In stage 2) there's a race to get to market. Wait too long and your competitors eat your lunch and you die before deploying at all. So PBHs do things like deploy proof-of-concept lab prototypes as products, as soon as they work at all (or even BEFORE they do. B-b ) They figure that implementing a good security architecture up front will make them miss the window, and (if they think that far ahead at all) that they can fix it with upgrades later, after they're established, have financing, adequate staffing, and time to do it right - or at least well enough.
So right now you're seeing the IoT producucts that came out first - which means mostly the ones that either ignored security entirely or haven't gotten it set up right yet. Give it some time and you'll see better security - either from improvements among the early movers or new entrants who took the time to do it right and managed to survive long enough to get to market. Then you'll see a shakeout, as those who got SOMETHING wrong fail in competition with those who got it right.
If we're lucky, one of the "somethings" will be security. But Microsoft's example shows that's not necessarily a given.
In this case, though, the POINT of the product is security, so getting it wrong - visibly - may be a company killer. (I see that, in the wake of the exposure, the company is promising a field upgrade with this issue fixed in about a month. If it does happen, and comes out before the crooks develop and use an exploit, perhaps this company will become another example for the PHBs to point at when they push the engineers for fast schlock rather than slow solid-as-rocks.)