Re: Needing TLS 1.0 is not a surprise
Some devices that I'm thinking of do have remote firmware update capability, but it definitely isn't automatic as this isn't sensible in a corporate environment. They're still 'supported' but are a legacy product and later firmware isn't going to be produced.
It's also possible the hardware isn't capable of running TLS 1.4. In one instance I know of it does 'support' TLS 1.0, but badly. If TLS 1.0 is switched on fully (proper end to end certificate chain validation, etc) rather than its default setting of 'ignore the validation and assume everything is ok' (not ideal, but it does at least stop casual users snooping traffic), the commands it sends are delayed, which causes issues.
Sometimes hardware has plenty of resource to spare, the system tools are comprehensive, and a lack of updated firmware is entirely down to vendor laziness/stingyness. At other times the hardware is difficult to code with limited resource and space. Not everyone is NASA with millions of pounds and bright minds to throw at problems.
The other solution is to proxy the insecure device at the client end, but that solution has to be developed, installed, requires two power and network ports, and then you have two devices to secure..