Good regulation isn't impossible. For example, mandating a unique admin password for each IoT device would go a long way to helping prevent this kind of fiasco.
How would a unique admin password help in cases where there's a backdoor accessed via an open port? A lot of the devices used last Friday had port 23 open. The password used in the backdoor was compeletely separate from the device admin password.
Your advice is good but it wouldn't have helped last Friday.
