It's definitely not for the consumer's benefit in most cases. No one is going to die because your Smart Keurig or 5G-TV goes unpatched for a month. Hopefully we can avoid the slippery slope and realize that these devices' internet capabilities are not for us - they are primarily for data collection/advertising purposes.

I cannot imagine a worse idea.

IoT devices are the richest source of hosts available for botnet operators to compromise because they are numerous and famously insecure. Today it's lightbulbs and security cameras. Tomorrow you wish it to be pacemakers and Toyotas?

We already know it is functionally impossible to write bug-free code which is also useful. We also know that attackers relentlessly probe systems until (that is a _when_, not an _if_) a weakness is found to exploit to gain control of that device. It is possible to write provably-correct code, but so far only for somewhat trivial applications.

Until this fundamental problem of software security can be solved, an air gap is the _only_ reliable thing that can protect life-critical software from external remote attack.

But critical components should be designed as simple as possible, and be thoroughly tested before device release. Releasing garbage and then patching it OTA doesn't really work for safety critical things. Not so long ago cars didn't have capability to upgrade (firmware on mask ROMs) and I don't think something horribly bad happened.