It's a problem with the way technology scales. Previously difficult things become cheap to do at massive scales, and companies make tons of money doing it.

But it also make vulnerabilities scale in the same way - exfiltrating 150,000,000 SSNs isn't much harder than 150 - and the penalties for security lapses don't scale anything like the profits that operating at these scales does.

What's the solution to that? Bigger penalties so that companies prioritize security? Require companies handling data and devices to carry insurance against huge hacks? I don't know, but we need to get somewhere better than "Ignore it because consumers generally don't understand the risks and apology letters are cheap."

The one good thing about IoT locks compared to other internet security issues is that you need physical access to do anything with it. The script kiddies spamming SSH authentication attempts at every webserver from somewhere on the other side of an ocean can't break in to your house with this. Other IoT devices like security cameras are still a concern though; a vulnerability in those could scoop up a lot of private videos.

Or any other physical security issue? There are massive differences in the security of standard physical locks. How much does the average person know about that? How many people are buying locks based on an informed decision about its pick resistance and physical strength, versus buying whatever looks nice?