It doesn't HAVE to be insecure
There's no reason that IoT has to use Swiss cheese as a firewall. I think you'd be hard pressed to break into any of the various IoT devices in my house. Mind you these aren't off-the-shelf IoT devices. They're bespoke devices with various SBCs and Arduinos at their cores put together by someone who knows a thing or ten about security and that, unlike most commercial IoT devices, get updated regularly. They're both less expensive - the latest device, controlling 8 light switches, cost about $10 to build and could have been less expensive if I'd used an Arduino instead of a SBC but I was being lazy - and far more secure - I'm fairly sure that they're all a good deal harder to break into than the my router - than the stuff I could buy to do the same jobs. But if a middle aged nerd can build IoT devices in his spare time that aren't chock full of security holes I don't see why a company building delivery bots that are going to be responsible for millions of dollars worth of product couldn't do it.