More about standards than security
Of course IoT security is a joke, that's partly because nobody has sat down and said "Of course IoT security is a joke". There are as many protocols racing ahead as there are devices. If they opted into a standard, any sensible standard would contain a pathway to update firmware and a basic security model so that my kettle isn't a peer of my laptop.
Standards would also mean being able to buy best of breed, so a Philips light bulb and a LG telly and a Samsung fridge and a GoPro/whoever CCTV and..., and... And that would mean a market for third party control interfaces and apps instead of the current buggers muddle. That's the dream all this IoT speculation relies upon. But as with every good standards war, everybody loses because consumers don't trust that they'll get long term support, so don't invest in case they back the wrong dog. And without consumer investment, manufacturers see no market.
There's nothing inherently difficult about IoT and making it good, just this isn't the place to start from. Instead, form a IoT Alliance, get some basic standards and patent pool out there and get an "IoT Ready" logo out there, and promote it across the board. Make it IP6 only, make it able to sign up to any IoT-nominated (partitioned) route to the internet securely, manage the virtual networks centrally so my light bulb isn't watching my online banking traffic...
I can't be the only one who thinks that doing a professional job of this is worthwhile? It's worked out ok for WiFi standardisation, or Bluetooth etc.