I think you're missing the fact that a line of devices from a manufacturer is still a "class." If you have thousands or millions of devices out there with un-tested, DIY crypto, then that's still thousands or millions of devices rendered malicious when a vulnerability is found & exploited. At least vulnerabilities like Heartbleed were quickly patched and widely-publicized. IoT vendors have been historically horrible when it comes to providing updates.