I'm saying that if someone seriously wants to end insecure IoT gadgets, there is nowhere else in the chain, other than the end consumer, to usefully target. Manufacturers are typically overseas in jurisdictions where the appropriate regulations won't reach, and retailers can be bypassed by online sales and delivery. So if you want to use the threat of lawsuit to discourage insecure devices, the end user who purchases the device is the only entity in the chain who can be targeted.

And, you have to admit, it'd be effective: the market would instantly collapse if device owners could be held liable for damage caused by their devices.