Do You Really Expect This to Work?
Sure, you can push security updates out for a while... but eventually, someone will break the signing key. Then your IoT device, many of which have short lifespans but all too many remain in use for decades (like, say, your car festooned with IoT? your security camera which works good enough?), will suddenly get APT invites to the land of botnets and accept them.
It is an improvement over the current braindead implementations out there now though.
The only real solution is, well, planned obsolescence. The device stops working when the key set is projected to be "too weak to resist attack". Manufacturers will love it! A selling opportunity based on security! Sadly, it might be appropriate.