"[..] has no way to learn how well it has been protected from attackers.”
Another nail driving the coffin of IoT security in the minds of the masses. Enough of this, and we just might get the message through to the companies responsible for this mess.
Of course, one response to the problem would be a Board of Certification, judging IoT products and giving a rating, including security concerns. That, however, would probably end up as useful as MPA ratings and just as ignored.
Official ratings on computer games or films do not have for consequence the possible loss of one's identity to a hacker. Bad or nonexistent security in an IoT thingy does and, as these bloody are invading the vehicular aspect of our lives, danger to life and limb is looming.
That needs legislation and enforcement, not just certifications.
IoT security should literally be open source, it's the only way to be sure.