I don’t normally think class-action lawsuits move the needle much, but in this case they seem justified because these companies are effectively dumping toxic waste onto the Internet. And make no mistake, these IoT things have quite a long half-life: A majority of them probably will remain in operation (i.e., connected to the Internet and insecure) for many years to come — unless and until their owners take them offline or manufacturers issue product recalls.
One of the many appalling things about these things is that many just cannot be secured at all. It's all smoke and mirrors : the web interface might let you change the default password, but this might not actually save it. Or there are other default passwords (for other routes into the system) that cannot be changed.
Some security experts are now coming round to the idea that the government might need to step in and mandates some fixes. The EU appears to be starting down this route now.