Then small companies can no longer make any IoT product.
Not necessarily. It depends on what your standards and rules are.
Sure, you could write the rules in such a way that only big companies can afford to comply with them. It doesn't mean you have to. What's more rules could actually ensure small companies could remain competitive by creating safe harbors if you do certain things. Believe me there are lawsuits coming in the future, whether there is legislative or regulatory action or no. It would go a long way toward keeping the little guy competitive if he could point to rules that he was supposed to follow and did. This would socialize the cost novel attack vectors evenly rather than distribute the costs stochastically.
Eliminating the low-hanging fruit could make IoT devices reasonably safe, and "reasonable" is a much more attainable goal than "absolutely". Everyone fails at "absolutely", but only big companies can afford to bear the cost of that failure.
As for stuff getting designed in China, it's the low prices, period. I actually evaluated some Chinese radio linked flow meters a few years ago -- they were intended for metering liquor being poured in casinos (where the "free drinks" paid for by the casinos are acdtually paid for by a subcontractor and poured by a bartender who lives on tips). We wanted to adapt them for pesticide flow metering. The guy we were working with was selling these gizmos at $200, but they arrived on his US loading dock from China all boxed and ready to ship out to customers at a wholesale price of about $3. I was astonished. That's why stuff like that doesn't get made in the first world anymore, it's the jaw-droppingly low wholesale prices. Quality wasn't great, but with a $197 margin you can afford to ship replacements out for free.
Adding regulatory compliance costs to a device like that actually favors domestic producers.