Manufacturers are the root cause and economics are a big issue. If you sell a 40 or 100 dollar IoT device how frequently are you, the manufacturer, going to continue to provide updates and do so proactively? There is no ongoing revenue and only cost for doing that and the money/margins aren't there. Smartphones are not phones but computers that cost $600, yet we see manufacturers stop providing updates in 18-24 months (Apple excepted). Look at routers that are 2 years old or so rarely if ever do we see an update. On our PCs Microsoft provided updates to Windows XP for 7 years and so that is what consumers think is happening but it isn't. if we can't get smartphones updated after 2 years what hope is there of the $99 and $199 IoT devices.
Let's face it, getting manufacturers to provide updates for 5 or 7 years or more isn't going to happen. But it isnt just the device manufacturers. Devices now last a very long time and the economics of updates don't work for the makers. Cisco EOL'ed a perfectly fine firewall I had at our office. The hardware is just fine, I suspect the costs of building and testing new releases and updates for security issues was just too painful. Likely no one wanted to work on the old code, if there was even anyone who knew or understood it. I suspect programmers not wanting to do long term maintenance of old stuff and wanting to move on to the next new thing is part of the problem. Even there is it the device makers fault as well. promotions and high salaries go to the new stuff and maintenance is considered for the "dead enders", and those folks know they'll get laid off and their jobs off shored. So you have to move to the new projects and tech and leave a place that keeps you on maintenance.
And the regulatory/legal situation is also to blame. Read a shrink wrap license or any software license. They all say that the makers aren't responsible for the fact that its software and doesn't really work.
It needs to start with a legal framework gets rid of the shrink wrap licenses and denial of liability, forced arbitration and the like. But then we'd hear complaints about innovation being throttled and excess costs and the like.
But don't expect action from Congress as long as they can pass the buck to the FCC, FTC, CPSC, the companies, the Executive Branch, etc.