And how are consumers supposed to identify which devices are more secure at the pre-sale stage, and which vendors take security seriously?
They can't, and I never said they could. We try to educate them. One thing we do for example is analyze potential devices for customers and figure out if there are any security issues. For example, GPS trackers that you buy cheaply on eBay or Alibaba all have major security issues. We show this to customers and have independent parties verify this before they decide to buy them. Granted, we usually don't deal with individual end users, but with re-sellers or distributors and industry, but each one of them gets the security talk.
Also in what way do you take security seriously?
Take security in mind from the start of the project. Have dedicated security and cryptography people on board (I'm a cryptographer and security researcher myself), have third party code reviews, use formal verification methods, use industry standard cryptographic routines, use strict privilege separation with e.g. an L4 kernel like Fiasco.OC, have data encrypted at every stage (in motion, at rest, ...), unique cryptographic keys per device, signed binaries for remote updates, every remote command is encrypted, signed and verified on the device, every communication from the device is encrypted, signed and verified by the server, etc.
In the end, if people want to change the firmware and use their own server etc., they still can as well. It just won't talk to our servers anymore, but that is usually what the goal is and we support our customers with that. We can also support our clients to use their own servers and give best practices to secure it, and often we just develop a firmware specifically for them that adheres to the same security standards.