Any company that sells an IOT device with a factory assigned password that is not randomized should be held accountable.
Actually, that wouldn't even be necessary, if vendors set up the "OS" and networking in a sensible fashion. For example, let's take the WiFi-connected light bulb. I would have no problem with the factory default password being "password" on all of them, if the only thing you can do with a password is to turn the light on and off, or change the color. At that point, the worst thing that can happen is that a neighbor plays pranks on you, and after the first time, you will learn to set more reasonable passwords. If the operating system on the lightbulb were configured safely enough that it really can only act as an endpoint, does not have the capability to start a connection, and the only functionality is really to turn the light on and off.
The real problem is actually much worse, and the default password "password" is just the tip of the iceberg: A lot of IP-connected devices are just engineered really badly. Cheap manufacturers find a random OS, don't bother to think through security, don't bother to think through usability in unusual situations and recovery from unusual problems, and ship it.
How many reports are there actually of household IoT devices being used for botnets?
And what rigoletto said is absolutely correct: 99.9% of IoT does not happen in the public eye. Nearly all of it happens in industrial and commercial settings, on networks that are usually completely shielded, and much of it causes no problem whatsoever, and is of high economic utility.
I know that my household is not a good example of an industrial site, but I do have exactly a half-dozen IoT devices around. None of them are even reachable from the world-wide internet (my router won't let packets from the outside get into them unless it is on an existing connection). I know that 2 of them are capable of connecting to the outside, but I do monitor what they connect to, and open just those destinations and ports. I'm quite sure that they are reasonably secure, with passwords complicated enough that I have to look them up everytime I need to actually use them directly.