Most IoT products are connected to a central "hub" – which the provider owns. This is very convenient, for the provider as it means that I am dependant on them to keep their products working – and if they wish to shut me off from them they can easily do so (as stated in the T&Cs – probably). This leads onto a whole load of other concerns – is the company investing enough in security for their servers (or are they more concerned with profit)? Probably the latter.
I think that the IoT should become decentralised. A system with a hub that the user buys (which operates on a radio channel and powerline) where the hub had a secret and public key and would use RSA to provide orders to the devices and receive orders from the user's smartphone securely – with no need for a central provider, which could be hacked or more likely go bust.