Re: "It isn't rocket science. "
However it does cost money, it does take time, and it is something that early IoT developers conveniently forgot to implement.What's more, if you want to do it properly (like Visa and Mastercard insist smartcard manufacturers do) then you need an HSM housed in a secured manufacturing environment.
Indeed, if you want to do it "properly", to financial investment standards, then yes, things are more expensive. If they did decide to do it that thoroughly, I'd be impressed.
It needs to be "good enough". Securely generated asymmetric keys would be "good enough". Algorithms like Diffie Hellman provide ways to make something that is "good enough".
What they did is not "good enough". It wasn't even trying.