UPnP? Ugh. That's just asking for remote attacks. Let's expose my IOT device to the whole internet. We've never seen that cause a problem before.
The other option is to have the devices reach out to a central server (which is what things like TP-Link Kasa, Frigidaire, Hue, Echo, TiVo...) all do. Now we're dependent on the central server keeping running! We've never seen those companies stop supporting devices or shutdown servers...
At least Kasa devices and Hue hub expose local network endpoints (unauthenticated so anyone on the local network can reach them) so if the central server does go away then at least freeware alternatives can be written.
There is no win... just various shades of lose.
Biting the hand that feeds IT
