Seems like a fitting area for government regulation and certification. But in order for a government to even begin to consider the lack of security in IoT a problem, the adoption must ubiquitous. I.e. the devices (or the number of thereof) should pose enough a threat to public infrastructure (think botnets) to be subjected to regulation. Is there such an incentive in any country at the moment?