My number one concern with the Internet of things, which I think is what you're describing—Internet-connected physical devices—is that many of those devices are not updatable at all. Even if you discover a flaw in them, it's not technically possible to go in and fix it. That's an incentive for the manufacturer, where there's limited liability for flaws discovered in their products, that you wouldn't tolerate for a physical threat, for example, or a flaw, a manufacturing defect.
I do have concerns with that as a threat vector. In terms of the proper market incentives.... I was a business major, so I should have a better answer, but that's not what I focus on every day. I'm thinking from a threat perspective. Threat groups are going to be focused on how they can cause physical disruption in ways that undermine entire communities and societies. I'm much less concerned about the everyday kind of criminal malware that could affect those physical devices, and more concerned about how that creates a very intimate way for foreign governments, for example, to disable physical devices in your home as an individual citizen. I would propose that public safety is, first and foremost, a government responsibility.