That may well be true, except there's one critical problem
Individuals who do not do their due diligence, who do not take the necessary steps to secure their property so that it doesn't cause harm to others, are *not* in any way liable for the damage they cause. Because they arn't liable, they don't give a shit, and won't make attempts to rectify the situation. The manufacturers are not liable for putting out insecure crap. Because they arn't liable, they don't give a shit, and won't make attempts to rectify the situation.
And so vigilantism like this becomes inevitable, because the law isn't doing fuck all about the actual problem.
There are going to be bad actors. There are *always* going to be bad actors. Whether it's individual, terrorist organization, or even governments, there will always be someone pumping out this kind of malware. This is not an argument of blaming the victim vs blaming the offender. This isn't analogous to some petty crime. This is close to war than anything else. And as anyone (should) knows, there are no rules in war. There are only the survivors and the dead.
You either defend against it, or you get steamrolled by the inevitable. You may still get steamrolled even if you defend against it, but the point is that you have to at least try because if you don't you *will* be compromised, and your devices *will* be used to harm others.
If you do not at least try to secure your devices, then IMO you are as liable for the damage they cause as if you performed the act yourself, in the same way that you are still responsible if you leave a loaded gun on the sidewalk in a crime-ridden neighbourhood.