Re: Am I the only person...
The OWASP Top 10 (updated for 2017, kids!) is great, particularly in the associated resources on their wiki. But it's web-focused, even if many of the issues have non-web analogues. Many IoT devices have web interfaces, but not all, and that's not the extent of their problems.
I'd suggest starting with the SANS Top 25 or the Howard / LeBlanc / Viega 24 Deadly Sins. Then hit 'em with some actual software security theory and SDLC practices.
Biting the hand that feeds IT
