Well there are different threat models in the IoT world
For example you have sensor networks which collect, essentially public information like temperatures or water levels of a river, or if a lamp is broken. It doesn't matter if someone listens into them, it does matter if someone can spoof those messages.
Now with such "fire and forget" networks, and there are many of them, you essentially have unidirectional data traffic. There is no need for an underlying bi-directional connection as there is no need to have acknowledgements. Having no input is a good way to keep malevolent input from compromising your device.
The security problem obviously lies in the actual network infrastructure. The sane solution would be for the base stations to e-mail the messages to the owner of the IoT device. If done well, they'd be encrypted and or signed via PGP/GPG and arrive at a server which checks the signature and processes them further...
...judging by the current experience level of many IoT people, they probably use some bloated cloud system with huge attack surfaces consisting of hundreds of web services, each done more incompetently than the previous one.