The thing is, as long as people pay for their own internet themselves, they're in complete control of what gets to connect to their wifi. So, even if all the water heaters on the market had IoT features, it's trivial to keep them offline and harmless. And should they ever come with their own connectivity solution that bypasses the users' router completely, well... it's always possible to encase it in a Faraday cage of some sort.
As for trusting manufacturer with IT security, that's not the only problem: even if they're serious about it and actually qualified to secure your device properly, personally I'm more concerned about what they do with my data - how they snoop on my habits, how they intend to misuse that data, or whom they intend to sell it to.
If there's a buck to be made, company won't even consider moral or ethical use of the data they collect. That's the only thing you can bet on with big data.