Which is more secure, old phone with a version from a trusted source or an old phone on the latest version you downloaded from somewhere on the internet? Neither.. people worry about the IoT being insecure, there's so much more which industry abandons as it isn't profitable.
How this can be fixed I don't know, there are so many variations with software. Only way to control it would be like Apple, where devices are locked down from user access fairly well. Always a way round though (eventually).
I'd go for user education, take some responsibility for what you're doing and do it better/put in working practices which make you more secure. Maybe then when users realise they're not secure/at risk they'll push back and manufacturers will take notice.