The problem is that you can apply that logic to anything at all. If a parent installs a desktop that has a camera on it, for example an all-in-one machine, they have now recreated the same environment. A malicious actor who gained access to that machine would have the same capabilities as one who gained access to this IoT device. They can't easily keep moving that desktop around with them.
I don't think we'd believe them totally blameworthy if that computer got infected with malware to their detriment. Yet if it did, they're likely much more responsible for the problem than someone who installed this IoT device. From the sound of it, the cameras could be accessed with relative ease online by guessing a password, while getting malware onto a desktop usually requires the user to fall for a fake download or phishing email. On this basis, attempting to blame the parent for something the manufacturer could prevent seems limited at best.