I think we have to face the fact that we're moving beyond an era where we can secure systems and instead need to move towards mitigating the damage.
Let's think about our unupgradeable internet enabled toaster that counts our calories and orders fresh bread when it detects we've used up what we have. If that toaster gets hacked there are a few possible results:
1) It might set your house on fire. This should be mitigated by all toasters having appropriate physical sensors that are not software controlled to prevent a fire. A simple thermal fuse would cost only a cent or two. A manufacturer who builds a toaster that can be set on fire over the internet under any circumstances should face significant liability.
2) Your toaster might be turned into a spam machine or bitcoin miner or something similar. If this renders your toaster non-functional then you will throw it out because its broken and its no longer a problem.
3) Your toaster might be more carefully owned and remain functional. This is obviously the worst case. But the way to handle this is with improved perimiter defenses Routers should be enhanced to monitor for suspicious activity. You could get a virus alert or similar that notifies you your toaster is behaving oddly.
The level of protection needed depends on the device. Something with a camera or microphone needs more thoughtful security than a toaster. (Until our toasters include facial recognition to tune the desired level of toastiness).
Another related thought. One big issue we have is embedded systems are often networked together. Traffic lights for instance. My first choice would be that such devices not be on the internet, but if they must I think we could create some isolation or sandboxing. Imaging if each embedded traffic light had a mini-router chip that had some sort of unalterable channel code. Make sure that a traffic light can only talk to other traffic lights or control hardware with the same channel code. Beyond that, I think you are going to again have to rely on perimiter defenses built into routers to detect and interdict command/control from hackers and detect abuse of the traffic lights. Networked but safety critical systems such as traffic lights should have a fallback unnetworked mode (old fashioned timing in the case of traffic lights).
The point is there isn't any one size fits all solution but if we focus on risk reduction, periphery detection and, where critical, ways to disable networked behavior we can protect our infrastructure significantly better than it is now.