My analogy would be he is welding them shut.

I think a big problem here is that people are discussing points like manufacturers should be blamed / fined, or that the owners of the devices should be responsible etc, but no one is addressing what seems to be the real issue that most owners of these devices don't understand them enough to actually know these issues potentially exist.

In your analogy I would say its not that people are leaving these weapons cabinets on the street unlocked, but don't know that its possible to lock or hide them.

Another good example would be cars, if you went to the showroom and someone showed you a two cars, one with no locks on the door that was easy to start without the keys, and one that had proper security the choice would be easy and you could understand what you're seeing.

If you go to a shop and someone shows you two IOT devices that do the same thing, and look identical, you cant really see anything that helps you learn about the security features, and as an average person if you're told one has certain "tech speak" security words you don't understand are you really going to make the choice to spend more money to protect against something you don't fully understand, that you don't see any effect from?

Yes manufacturers should be made to release products that are secure and respond to security issues in a timely manner, but we also need to educate people that computers aren't some magical box beyond their understanding, blaming owners in these cases would I think make the issue worse.

If you consider that the majority of people who have the internet get their ISP to set up their router, and only have a basic understanding of what that device does, how can we expect people to understand what the potential issues of open ports or vulnerable firmware are? And then could these people even be educated to the level we would need for them to be responsible for securing their own devices?