Ah, but these are the brokers we're talking about. The devices themselves may be knocked out by a wage-slave in a Shenzen factory and vulnerable to everything, but the brokers are run on proper computers and written by people that care. They should be no worse than any other daemon, eg apache, ftpd.
Running Mosquitto here, with no regrets about that after this article.