Patching only the first step
Patching sounds good - except that attackers will start inserting attacks via patching mechanisms.
This in turn requires code signing. Which in turn requires more CPU/memory power on the IoT.
Which in turn will result in every IoT device being a full on mobile CPU.
Which in turn makes the patching process more difficult and expensive.
The real issue isn't patching IoT - it is the ridiculous idea of sticking everything onto the Internet with the assumption the functionality improves.
Every move to "secure" IoT has countermoves long ago thought up by attackers, and the fundamental asymmetry of attack resources vs. defense capability - especially in IoT - is not going to change.
Biting the hand that feeds IT
