Busy looking at IOT for home automation purposes at the moment. Whole ecosystem looks quite shaky in that regard

e.g. IOTs that will happily accept commands from anything on the local net.

Yesterday I was surprised my hass.io could control a tp link power plug...I never gave it any auth...it just scanned the lan for things to control

Simple implementation, convienent UX, secure; pick two.

(Its not necessarily true, but tons of engineers assume its true. Hence, when making a low-cost product for home consumers, security is purposefully neglected.)

I make IoT devices and everything I do is closed by default. You want to reprogram it? Hard reset the hardware physically by removing the battery and then you need to know the exact GATT UUIDs and acceptable values to do anything.