Experience not the issue
manufacturers who have not traditionally had experience in application development will be tasked with creating and maintaining secure software stacks
The lack of experience isn't the issue. Any experienced software engineer will tell you that all the common problems in software have been solved, and it's not a good idea to start re-inventing the wheel (even though it does still happen far too often).
No-one in their right mind is going to write their own uPNP library if there's an existing one already out there, especially one that has been pounded on by a lot more people than in your testing team, and used in situations that you never thought of. Most of those obscure edge and corner case bugs have been found and fixed, and many of the security holes plugged.
But not all. So when some more bugs are fixed, you need to update the software that uses the library (if it's statically linked), or update the library file itself (if it's dynamically linked).
It's a decent updating process that's needed - the IoT equivalent of "Patch Tuesday" for the Windows world. That, of course, has to be fed by updated code from the manufacturers, and that is the biggest challenge of all.
Hardware manufacturers don't have a great reputation for producing good software in the first place, but they have a truly terrible reputation for updating it afterwards.