simple (in theory)
Specify that remotely exploitable vulnerabilities that could lead to data being exposed, devices being bricked, local networks being accessed, the device being reprogrammed, etc as being a "major fault", triggering consumer protection laws.
So when [iot vendor] sells [new and shiny] and then 6 months later fails to provide a security patch, products can be returned for a refund/repair/substitution. Actually this for mobile phones too please.