I agree with you. I was just using the NIST as an example because they've been in the news recently; they just released some new security standards that are actually quite good! Presumably we'd use an independent organization who's whole job is to come up with best practices for the security of IoT devices.

Semi-related aside: Microsoft Active Directory violates the NIST's new password hashing guidelines because it doesn't use a random salt when storing password hashes.