The S in IoT stands for Security
Security is always going to be difficult. But some things are obvious: always have a choke point (a firewall) through which your external traffic must pass. Dedicate this device to only controlling traffic flow, and put as little code on there as possible, the fewer bells and whistles a firewall has the better it should be. Reduce the types of traffic to the bare minimum. Have these choke points actively managed with alerts being followed up by humans (yes, I know they cost money...).
As soon as anything is on the network there is a risk. And remember: The S in IoT stands for Security. :-)