> some are locked down for user control of networking, but simultaneously designed insecurely as, say, "smart web cams" without the necessary incentives to keep them secure.
I wish you were less right. I'm working on this "whole world connected" system and the things I see developed in IoT devices are just too scary (like sending your wifi ssid and password unencrypted to some distant server about every minute). Only way for some damage mitigation will probably be some kind of IPS/Firewall hubs so that all your "smart" devices are isolated.
When someone connects 1000 different devices into one system, he now has 1000*x potential holes into this system. Requiring that every connected device is perfectly secure is just not realistic. Even those with biggest budgets can't be totally secure, so what do we expect from some small manufacturer with two programmers and tight deadlines? We need to have good firewalls for IoT devices.
I've speculated before about the idea of having ISP service packages include CPE that by default supports UPnP only on a VPN interface that's automatically configured and matched with an ISP-resolvable domain name for the customer's use.
To your point here, it seems reasonable to have that VPN interface also apply an outbound traffic firewall that defaults closed - that'd put a hard stop to the kind of trivial yet horrific exposure you describe, and making automatic firmware updates require extra effort to work seems like a relatively small price to pay. (After all, it's not as though device providers who fail to scruple at that kind of atrocity are going to be putting out security updates on a regular basis...)
The Internet of Scary Things.