IoT & Patching - The bigger picture issue is Trust is Dead
With IoT, every device has a potential secret agenda, not in your interest...
State actors see IoT as a target to be acquired and tracked. Hackers as well, but for hijacking / extortion / DDOS purposes etc. Commercial firms see consumer IoT devices as a means for getting 'consumer intel' (Vizio-TV's etc). All of them see IoT devices as merely 'rented to you' for the purpose of different types of Monitoring / Tracking / Surveillance.
Even if a WebCam manufacturer offered timely updates, would you trust them coming from China or Vizio-HQ etc?
What we have basically is Intel-Management-Engine meets Adobe-Experience-Cloud in one package. Or lots of sneaky anti-consumer practices underpinning tech and fundamentally eroding trust. Even if open standards were followed at hardware and OS level, and you could get all your patches from a website you trust sha256 verified etc... There are just too many bad faith actors out there wanting to distort the process. Who can you trust? For this reason the entire premise of IoT is for sht!