You’re not wrong, there is a lot of unnecessary vendor lockin. But as someone who has worked on IoT, security is much trickier than you might like. Security for a non wireless device can be completely relegated to physical access to the device. Thus making security the problem of owner of the device in a way that we have accepted security since forever. But as soon as there is a way to access a device from afar… well suddenly there are attack vectors that most people can’t even begin to imagine. And mitigating these attack vectors starts to seem like an unnecessary burden for non technical folk. I even had to deal with issues of a CEO and product owner not being able to wrap their heads around a few attack vectors forcing user experience compromises that they really didn’t like. It is really hard to solve the problem of you being the only person able to turn on and off your light from afar from an arbitrary device (one not paired at the factory). At the end of the day you need some way to pair a device. That’s sort of easy, bluetooth pairing is kind of a solved problem. But now let’s say you want to transfer authorization to turn a light on and off. Well, now you need to pair the device with this new person. As a house guest, they’re not going to take the time to do this for every device you own. So companies rely on other means that often rely on some combination of authenticate authorize in their ecosystem.
