Closed drivers need to die
Closed drivers are a big part of the problem here.
You can't update something that has closed drivers unless the vendor cares enough to get involved. And they won't care if they are on to the next shiny.
Linux deliberately doesn't have a stable kernel ABI or API so all of it is free to evolve.
Also "open" kernel bits don't get merged if there are just for closed userspace drivers. So these open parts just rot when the vendor has moved on.
GNU/Linux userland doesn't really do stable ABIs because most of the time you can just recompile the world, all in the repository with build dependencies, and make everything use the latest and greatest and only have a, latest version of each lib. This is awesome, it really is. But closed drivers just don't fit into this world. So you get either freezing death spreading along the dependencies of closed parts, or you have to drop support for things. Which is really annoying when it's the GPU and you are doing a graphics project! Or the other way, where you can't update the kernel because of some closed component, meaning you can't use the latest Bluez on your Bluetooth project!
If GNU/Linux and the Linux went closed friendly, it would start building up legacy crud like Windows or now Android for that matter. So that's not a solution. On Android it doesn't seam so bad because it's a throw away platform, but even then it's building.
So a big part of the solution is open drivers.
For the internet of things, to stop it being the internet of infected old things, the hardware needs to be standardized so we can put our own modern firmware on when vendors move on.
The problem is I don't think there is enough far sighteness around to stop the internet of infected things happening. And only when most people's toaster and fridge are spam botnets and their TV sends everything to a blackmail gang, will real steps actually be taken to sort this unholy mess out.