The fact is, companies are putting out new, innovative devices the same way they've always done it - they come up with a neat idea, get it to work, meet whatever regulations they have to, and put it on the market. There is no step that explicitly calls out security in this process. While security professionals would argue that security is supposed to baked into the whole deal, that's not what happens. As a result, you get a flawed platform that puts people at risk. In these two cases, that risk is pretty remote, but it's there.
As we start to integrate more and more things into the Internet of Things (IoT), we give up more and more personal control of the security of our information and the things that run our lives. We trust companies that are integrating the products that we buy to take the necessary steps to secure the product just like we expect a cereal manufacturer to ensure the purity of their ingredients and the car manufacturer to test the safety of their cars.
One of the things that ensures that both the cereal manufacturer and the car manufacturer adhere to these expectations is the government. Now, I'm not in favor of bigger government or increased regulation, so we need to look at alternatives. The government is a big stick that should only threaten industry with its overreaching power to the point that companies start to think and police themselves. What is needed is a consortium, funded by all the players in the IoT space that will produce guidelines and keep updated technical recommendations for implementing new features and Operating Systems. Something like the loose collection of similar-minded security thinkers such as I Am The Cavalry isn't going to be enough. Instead, money has to be spent, and rules need to be written. Think of it as a much, much better designed and run version of Underwriters Laboratories.
For now, we will keep reading about one-off companies who take existing, possibly flawed, code and hand-jam it into their product to get things working and then deal with the security fallout afterward... or possibly never. Like the HVAC guys who install a web-accessible control panel that they really don't know anything about, companies will put people at risk out of sheer ignorance until something is done to fix it. And something should be done now.