Insecurity isn't a necessary component of corporate data-harvesting... it's quite possible to make a device with robust, impenetrable security that encrypts & transports vast quantities harvested data to its corporate masters.
These are the REAL problems with most IoT devices:
1. Devices with 8-bit MCUs that treat the internet like a UDP-implemented serial port & have no meaningful security of their own.
2. Linux's (intentional) lack of a stable kernel ABI, which makes it all-but-impossible for end users to take control of their own destiny and upgrade devices long after they've been abandoned by their manufacturers.
3. The lack of meaningful public documentation of the underlying SoC. If MediaTek, Qualcomm, etc. doesn't make proper datasheets available to the public, reverse-engineering some generic nameless webcam is going to be *really* hard unless you have access to the hardware & software tools usually owned only by companies or universities.
If somebody can name a sub-$60 IP camera with official open-source firmware, I'd *love* to be proven wrong, but the fact is, sub-$60 IP cameras are practically large-scale integrated circuits *themselves*. Seven times out of eight, not even the nominal *manufacturer* of the camera has access to the full sourcecode to its firmware... they buy some SoC, assemble it into a camera based on some generic reference design, and get all the firmware & drivers verbatim from the SoC's manufacturer (like the thousands of knock-off "Foscam-type" IP webcams).