You'll never find a perfect solution. But that doesn't mean you don't implement at least the most modest of controls. If the manufacture is held liable for security, then devices won't ship with default passwords and goatse sized vulnerabilities.
After two years of updates, the majority of vulnerabilities that do ship will mostly be identified and patched (or should be at least). After that, a general herd immunity will develop. The devices left insecure after two years will have so much variety between them with different models and versions that it becomes impractical to target them.
IoT devices are less complex then PCs. They serve typically a single purpose with minor user interaction. A secure kernel, running a well written web interface makes for a VERY SMALL attack surface. These devices are only targetable right now because of the blatant disregard for any measurable sign of security.