Firstly you have to appreciate the web isn’t a thing. When they want to talk protocols and crypto they mean things like sockets, mqtt and talk about where on the production line the fuses for the keys will be blown and who will have access to that area. It is a different universe.

The absolutely huge thing is they want to live in a world of standard interchangeable pieces. They despise custom solutions to problems unless totally necessary or they are enormously better than the alternatives.

They will flat out tell you that they are essentially waiting for an industry standard solution to problem X to appear, and until it does these ad hoc solutions suck.

If you want IoT security you don’t need to regulate it, you “just” need to create a no-brainer to adopt industry standard model for device operation that these people can drop in place. (I hate MQTT, but think something in that ballpark with the right security model* would be a good starting point). This is a hard enough ask as is, but is made harder by the big software giants all trying to come up with schemes that put them in the middle all the time.

As an aside I also encountered a non Taiwanese executive espousing the view (with respect to slurping up network topologies via multicast) that he hates it, but as long as it isn’t illegal they have to do it. I don’t believe the law would help as you will always have bad actors and people using aliexpress - it needs to be technically impossible, hence the star networks.

Edit to add: * and provisioning process. Were it up to me I'd have something like NFC based key exchange between broker and device during setup as part of the standard.