Why does this stuff need to update ?
IoT is about inserting Internet connectivity to stuff that we're already using for dubious purposes. I'll pass on the fact that, apart from Wifi, Blutooth or video (for which we already have dedicated hardware that works satisfactorily), nobody has found anything remotely compelling to put into a IoT thing.
Now they state that updates are a requirement. I understand that security is something that every vendor would like to put at the top of the bullet list without paying a dime for, but is security really the kind of thing I want to see in a light bulb ? Is there no other way of defining the utility of a network-connected chair ?
Maybe security should be designed, not into the IoT thingamabobs, but into the router/switch/hardware that talks to them. Let me clarify : a light bulb may be able to talk over the Internet, but only if there is hardware from an ISP connecting the household to the Internet. Yes, I know about the WiFi Ethernet attempts. One thing at a time.
If IoT can only work with a hardware portal to the Internet, then it is those things that can handle the security. The router could very well be configured so as to 1) not allow general interaction from the Internet or the local network to the IoT thingies, and 2) handle updates from the Internet to a given IoTmabob, on condition that said update is properly signed and comes from the proper domain (no use BitTorrenting an update here).
Would that not solve a bunch of possible issues ?