"And then make it illegal to run a vulnerable device if it's connected to the net."
Another fine law to make criminals out of ordinary people.
I have an IPCAM. I wanted it mostly as a toy, but it is useful for keeping an eye on things when I'm not around. See what the cat is up to, etc.
Out of the box, it uses uPNP to punch a hole in the router for itself. It announces its presence to several foreign servers, and it has a default telnet login of root/123456.
I've hacked the startup script (luckily writeable) to replace the hosts file numerous times at boot to direct all of the domains that the camera uses to localhost (obtained by connecting the camera to network sharing on my PC and wiresharking what happened during boot). The uPNP failed as I've disabled that on the router. There's a STUN to an IP address that I can't do anything about (my router is an Orange Livebox so it doesn't do fancy things like blocking individual IP addresses). The default password cannot be changed. I can use chpasswd but the next time the thing is rebooted, the firmware writes a new passwd file with the root/123456 combination. I also very much doubt the online firmware upgrade is in any way secure. I will, some day, make a binary hack to the main program file to replace the firmware cgi filename with gibberish (to disabled that) and change the baked in password to something else. I tried a sleep 60 in the boot script, but the thing overwrote it with the default. It's of lower importance as you'd need to be in my local network to access it.
I'm a nerd. I could play with this and fiddle with it. I'm sure many people will just buy the device, plug it in, and expect it to work with "the app". If that's all it takes to be a criminal, there's no hope.