For those who are looking for a good overview on the challenges of complexity in IoT Security, OWASP's Aaron Guzman gives a great talk from Defcon 23 on the complexity of IoT from the device to cloud platform to datacenter resources.
Pay particular attention to the number of layers in the device, from board to ODM to OEM. Each introduces a layer of software in the form of SDK which of has a high probability of vulnerabilities. At this layer the device almost never gets flashed/firmware updated so the majority of devices are still running with the original kernel.
This is why a holistic security architecture which promotes iterative risk based approach at each layer of the IoT ecosystem is so important.