Denial of service?
As well as maybe being able to pretend to be the original device, this would also be a denial of service - that original sim will stop working and the real IOT traffic which should be transferred will now either be lost or stuck?
Not an expert on this type of thing, but can that sim be brought back online with the original details or will someone have to physically put another one in? The second will be a major PITA, but the first could result in a tug-of-war, unless extra security is put in place? Plus what's the betting that the attacker would be the one to ask for extra security and the original owner then won't be able to get it back?