IT security is not the same as IoT security (or OT). Context and protection varies...
... that means that not all practices are practical - or even helpful in IoT. For example, encryption is not always necessary hence baking it in law would not be a good idea (unlikely too as Governments - especially US - have not favoured strong encryption). Security is a moveable feast hence law needs to focus on security objectives and removing malpractice not specific methods. Same point applies for 2FA - the access control authentication modality should be commensurate with the application.
UK gov is looking to regulate for consumer IoT - includes passwords and patching - see https://www.gov.uk/government/news/government-to-strengthen-security-of-internet-connected-products - not perfect but it's a useful start.
The IoT Security Foundation published a paper on Healthcare IoT (and a few others) - see here https://www.iotsecurityfoundation.org/best-practice-guidelines/
Biting the hand that feeds IT
