It's a good question. So far it's been low-hanging fruit: devices people have intentionally or unintentionally opened to the Internet in order to make use of them. In this case, webcams, which people open to the Internet in order to be able to watch their dogs/fish/stepdaughter from the office. People think their IP is unguessable, or that because there's a password, it's "secure" even though it's the same password everyone else uses. I don't know what the vulnerability is in this case, but IoT vulnerabilities have often been generic vulnerabilities in a widely used piece of open source software.

Of course, IoT devices (really, any consumer device, versus application software) are "special" in that the code is often written by outside contracting houses and security just isn't on the list of requirements. I recall seeing right in the HTML of a bunch of different consumer wireless routers a comment saying "Reference code. Do not use in production." It's quite possible the code HAD been fixed and the Chinese developers just hadn't realized they should strip out the comment, but with that little attention to detail, it's not much of a stretch to imagine there were probably plenty of security holes there.

An APT can certainly MITM update checks. We've already seen it happen with Windows Update, and it's likely most IoT devices use a far less secure update mechanism. SSL at best, probably with a default set of trusted certificates. No bank robbery attack even needed; just find one of the dumber CAs and convince them to issue you a certificate. Then it's just a DNS spoofing problem.