> If consumers actually cared about their IoT devices receiving security updates, companies would be doing it.
I don't think this is true. Security issues don't matter until they do, and consumers -- by which I mean "people" -- are notoriously bad at estimating risk for sufficiently rare outcomes.
To take a common example, insecure internet-connected baby monitors can literally give strangers video access to your home (not to mention your child, although we don't need to resort to "think of the children"). I think most consumers make purchases with the reasonable expectation that the product isn't going to violate their personal security without them knowing.
As a concrete example to the contrary, even many laypeople I know consider home assistants like Alexa to be too risky -- they don't like the idea of being overheard and monitored by some unknown "other". And that's almost literally part of the product description! When consumers are aware of these issues, they do care. The idea that they currently purchase as though they don't is confounded by a lack of awareness on the one hand, and a reasonable expectation to the contrary on the other hand.
Consumers often purchase insurance for low probability, high impact events. I would infer the fact that consumers are not purchasing insurance for these devices means they don't think it's that big of a deal.
I don't think this is true. Security issues don't matter until they do, and consumers -- by which I mean "people" -- are notoriously bad at estimating risk for sufficiently rare outcomes.
To take a common example, insecure internet-connected baby monitors can literally give strangers video access to your home (not to mention your child, although we don't need to resort to "think of the children"). I think most consumers make purchases with the reasonable expectation that the product isn't going to violate their personal security without them knowing.
As a concrete example to the contrary, even many laypeople I know consider home assistants like Alexa to be too risky -- they don't like the idea of being overheard and monitored by some unknown "other". And that's almost literally part of the product description! When consumers are aware of these issues, they do care. The idea that they currently purchase as though they don't is confounded by a lack of awareness on the one hand, and a reasonable expectation to the contrary on the other hand.