The real problem is the whole current hardware software set, entirely too flexible and can never really be secured.
So to secure internet of devices, requires a new fresh start. An operating system and applications, running on device, that all are only capable of doing what they are designed to do. Every bit of flexibility taken out, if it is not neccesary for functionality it is not in the system, not in the OS, not in the application and not in the hardware.
Want a device to no do a thing, than make that thing impossible to do. So a new custom hugely simplified modular operating system, that can only do what it is designed to do, not one bit more, running on simplified hardware that can only do what it is designed to do. So it is all about not being able to do stuff than attempting to control stuff it is capable of doing but you do not want it to do, which when you think about it, is really dumb.
The whole idea is to get away from blocking bad stuff, too only allowing good stuff and everything else, absolutely everything else is blocked. Early step would be to create a library of allowed traffic data transmissions and then only allow those transmissions through, everything else is ignored, not even processed, just binned.