[nickjackson]

Would it not make sense for broadband router manufacturers to step up here, especially ISPs who provide routers to customers.

First of all, IoT devices really need to be connected on isolated vlans with very strictly controlled WAN capabilities. Obviously this already exists, but not in the fashion a layman, who wants to put their fridge on the wifi will understand. The average home routers need cleaner interfaces and clearer abstractions rather than the cruft that exists now.

Does your fridge really need to access the internet, and if it does, perhaps you could setup your router to only allow access at certain times, to a single host and with circuit breaker protections in case traffic has a signature that matches that of a DDoS attack. This circuit breaker pattern could be extended to all traffic running through the router, and provide the user with reports of potential infected devices and traffic hungry users.