"Finally - as to the suggestion of arresting USERS because they have insecure IoT kit - that's stupid, there is no way that could ever be proposed to be added to law"
That depends on how bad the problem becomes. There are several points to apply pressure.
One is the market place via the types of regulation and certification that's in place already for electrical safety etc. It gives Trading Standards or the like to deal with vendors in the country and for customs to turn away incoming shipments. There's absolutely nothing novel in principle about this, it's just that govts. need to be kicked into motion to get a round tuit.
Another is the ISPs and through them the users. They can be required to put it into T&Cs that non-compliant kit can't be exposed on the net, either outside of firewalls or via uPnP.
Finally, after due warning, the users themselves if they insist on connecting stuff it can be made an offence. In practice, of course, the ISP would almost certainly deal with it by cutting off the customer but having the illegality as back-up to deal with awkward customers.
All this combined would make non-compliant stuff unsaleable. That would lean on the manufacturers more effectively than trying to negotiate international standards.
That leaves countries that are reluctant to get round to doing such things. "Nice internet connection you have there. Shame if it got disconnected for an hour or two now and again. Or a day or two."