Re: too much security
You've made a big assumption there. That the toy is on the other end of a routable internet connection. Sure, if that's the case you deserve everything you get.
Clue : Having an IP address doesn't mean you're open to the internet, any more than having your bedroom door open means you're welcoming the public in.
Why on earth would you put an unknown device on your internal network without firewalling it off ? Security belongs at the borders. That's why you don't need to care about the internal security of these devices - because if your network allows them incoming or outgoing access you've lost.
Expecting any vendor - especially malicious ones - to do your security at the device level is silly. A toy isn't going to be as hardened (or as trustworthy) as a gateway router so why even waste your time testing it ? Put the security where it's under your control, not the toy manufacturer's.