> Disagree, it is extremely common for e.g. TVs and smart phones to ship with malware included.
Both are common! But there are many hundreds of thousands of known software vulnerabilities.
> Having the thing never connect to the Internet at all and never receive updates is a far better security posture
It might be, depending on the particular situation. But it doesn’t really matter for IoT devices, because they all, by definition, connect to the internet. “Don’t connect to the internet” is a nonsensical suggestion for IoT devices.
Both are common! But there are many hundreds of thousands of known software vulnerabilities.
> Having the thing never connect to the Internet at all and never receive updates is a far better security posture
It might be, depending on the particular situation. But it doesn’t really matter for IoT devices, because they all, by definition, connect to the internet. “Don’t connect to the internet” is a nonsensical suggestion for IoT devices.