At some point surely the people who are not willing to pay for security, cannot be bothered with security, yet will buy IoT crap have to take some responsibility? After all, they are the market which is being catered to.
At least in the US that's not how any other product category works. People have offloaded all safety and security concerns to the government or the market so that it's just assumed that any mass-produced product is safe enough and customers don't need to worry about it.
A lot of places try to manage that by holding retailers responsible - making it a fine-able offence to sell, for example, RF emitting gear that breaks local regulations. This _kinda_ works where most of the retailers are concerned about their reputation and are in the local jurisdiction, but breaks down _fast_ when thinks like AliExpress are taken into account.
(And it even occasionally fails spectacularly in cases where it _ought_ to have worked OK - people offloading lithium battery charging safety to large locally represented brands like Samsung instead of self-importing Xaiomi or Doogee "brand" phones directly from China...)
