I think that's actually the only solution to the IoT security problem: more people regularly scanning for and bricking these devices, until the return rates make it unprofitable to sell broken devices in the first place
In that case, I think for the vigilantes it's absolutely critical that they figure out how to brick these devices as quickly as possible when they come on the market, because if they're targeting devices that are a couple years old now, that means many consumers will be past their warranty period and may not be able to return them.