Re: I hope "the answer" isn't EVEN MORE gummint...
"The manufacturers don't care because their sales are OK. The sales are OK because the customers don't care either. The customers don't care because when the hackers take over a device they normally take care to ensure that the customer rarely notices anything happening; once in control, some of them even apply patches to stop other hackers getting in."
Seat belts are an example of how this can be made to work. One factor mentioned was that governments mandated fitting (Charles 9 will be along any second to mumble about grey markets). The other factor was the governments mandated using them if you were on the public roads. And we now have the situation where cars are not only fitted with them, in many cases they'll bleep at you if you go at more than a snail's pace without doing them up.
How could we apply such thinking to IoT?
First, we'll need to mandate some requirements such as any default passwords must require a reset at initial startup or after a factory reset and something like type approval for devices which meet the current standards.
Now we can make it illegal to connect such a device to the internet* (you can have as many as you like on your intranet, just don't let them leak out).
Alongside that we make the ISPs responsible for their nets: they become accessories to anyone exposing a rogue device.
ISPs care so they'll deal with customers, cutting them off the net if required.
Customers care because they lose their internet if they expose a rogue device so they'll take care to buy type-approved devices.
Manufacturers care because sales of un-approved devices are falling (even in the grey market) because the intranet market won't be big enough to sustain them and, if everyone is having to manufacture to the same standard, there's no price advantage.
*Shodan has demonstrated that these devices can be located.