Re: the internet isn't the problem
Actually, that is a good question. What about reverting to the immediately preceding release instead? A lot of the Chef-based devops deployment cookbooks I have been looking at are based on delivering a codeline (for the actual application code, not the ancillary services) that gets stored in a directory, along with preceding codelines using a hash/incremental naming scheme. To activate that codeline, you just point "current" to it via symlink and the rest of VM only refers to "current" to run the application.
Many actual cloud-y VM implementations don't so much do that as drop the VM and rebuild a new one with the new codeline, even though this mechanism is in place. Easier. In IoT land, however, you can't just nuke the device. But, at the cost of doubling storage requirements, you could implement a fallback-to-previous scheme.
And, I would submit that the internet (culture) IS the problem here. Nest had a presumably stable product until they iterated it once too many times and got to a failed state. But a physical thermostat is not a cloud VM you can easily drop and replace. It requires a different state of mind in terms of management (avoiding bricking), security and user control. Ultimately it means acknowledging that its continued good operation is somewhat more important to the user than a cloud FarmVille or Twitter clone having six sigma uptime.
On the positive side, at least we are seeing a culture that should encourage fixing bugs in embedded software.