Reading this is fairly eye opening as it explains the different methods attackers use to gain access to your NAT-"firewalled" IoT device. It was also a useful reminder that IoT items aren't just "IP cameras", but routers, printers, and other stuff that most people have had for years.
You can skip to page 34 for the most important problem with most of the headline devices though (which also explains why owned cameras is a big thing, but less so owned routers): insecure "cloud" servers that provide connectivity to your IoT devices when you're off network. For example, it provides the connectivity that allows an app on your phone to access your baby camera remotely.
The servers typically provide way too much information, and often provide access to the entire camera, not just the video stream. As a result, hackers can, by scanning a range of camera IDs using the server at minimum find out what the public and NAT IPs are. They may be able to send arbitrary packets, including those to backdoor debugging ports, depending on the server, without even needing passwords.
Outside of using that server, hackers become more dependent upon heavy, probably noticeable, scanning, making it increasingly difficult if you don't already have compromised hardware.
My takeaway? Go after the manufacturers. There's stuff they can do right now by patching just two things: the gateway servers they are running right now, and the apps that use them. Yes, in this case, it's worth doing - those here saying "Oh they're all fly by night, you can't reach them" forget that if that were truly the case, there wouldn't be a problem, because the gateways they're running wouldn't be up.
Someone is running the gateways. Those people can fix them right now, and need to.