Average users have a VCR? How would it work if they don't set the time on it?
You bought (whatever) it (is) - so that becomes your problem. The average user falls for the marketing of "your app controls your fried chicken" bullshit and buys the IoT chicken frier. So you won't buy that frier. Good for you
The manufacturer might be in another country or bankrupt. You should go after the user and then he might go after the manufacturer or his insurance if he wants.
But on more realistic terms, my hope is that if this gets really bad, then a consortium of huge internet firms can start blacklisting bad IPs. If John-Random-Guy can't connect to google/facebook/akamai/etc then for sure he'll at least unplug the device
You bought (whatever) it (is) - so that becomes your problem. The average user falls for the marketing of "your app controls your fried chicken" bullshit and buys the IoT chicken frier. So you won't buy that frier. Good for you