Heffner added that PCI compliance does not guarantee security either. "Just because you've checked all the boxes doesn't mean that you can't be hacked," he said.
Hagins and Schneier both say if security is going to improve in embedded devices, there will have to be a way to do updates, or patches, to fix vulnerabilities. "The ability to update software, even embedded firmware, is critical to the ability to address undetected vulnerabilities," Hagins said.
"The big problem is that there is no way to patch them," Schneier said, "and as these things proliferate, hackers are seeing that the better target is not the computer but the router (the way most home devices connect to the Internet)."
Ultimately, even though the consumer cannot be expected to understand software security, experts expect it will take consumer pressure for the security paradigm to change.
"Consumers think stuff is secure, even though nobody told them it is," McGraw said. "So there is a big disconnect between implicit expectations of security and the real situation. Right now, they're too psyched about how cool smart TVs are, but when their expectations go down in flames, consumers get mad. And then, companies will have a reason to respond."
Once consumers understand the risks of insecure products, "they will vote with their feet when it comes to buying, recommending, and using devices," Hagins said.
But that awareness may come at a painful price. Schneier, asked if he thinks it will take a high-profile, catastrophic hack of smart consumer devices to force the market to address security of those products, said, "Sadly, I think yes."
Sign up for CIO Asia eNewsletters.