Re: "here is no financial incentive for any firm to implement IoT security : "
No there isn't because the average person is too stupid to make the connection, and You Can't Fix Stupid.
Problem is - even relatively intelligent non-techie people have no clue about the risks of connected devices. They see the convenience and shrug away the risks.
On a personal note - Last week wifey bought a creepy connected talking teddy for our toddler. I told her the thing is nothing else than an unsecured bluetooth headset connecting to a dodgy app. Anyone around can connect to it. The app can probably hacked as well and the Android tablet it runs on hasn't seen a security update for the last one and a half year.
Wifey shrugged it away and meant that there is nothing interesting any listener could hear in our house, anyway. The depressing truth is - she is probably right.