Getting back to the IoT, most of my friends & family are technology dummies. And, in my opinion, they are too lazy to change default passwords let alone configure the security features of their devices. Even if they change passwords, they'll use the same ones that are easily guessed.
I am also beginning to wonder if developers are purposely or inadvertently giving away vulnerabilities to hackers. As a former developer, I know about setting up back-doors to bypass security, as well as known vulnerabilities about the product. Establishing a back-door is a common practice during R&D and for good reason. However, a former employee can easily take that knowledge and use it on unsuspecting consumers connected to the internet. This is why I don't think that you will ever be able to stop the hackers.