Let's be honest, IoT device implementations are not secure enough. Most device RTOSs have security features like TLS available, and items like the removal of default credentials are still required (unless you are in California!) The scary thing about IoT is numbers, the same basic hygiene as applies to any other system will go a HUGE way in protecting them, and the systems to which they are connected. More advanced solutions can use more advanced features, but they come down to same basic ideas. Don't expose services you don't need, and authenticate/authorize all communications. Beyond that you are mostly looking at lifecycle management and ease of operations.