If a known vulnerability in an IoT device is exploited for harm then the device manufacturer should be liable.

Right now there is no penalty for firing and forgetting half-baked IoT products onto the market.