"The embedded industry has proven to be very resistant to innovations and modern code-writing practices .... And yet, now they are expected to write secure IoT systems."
I second that. Conservative nature of embedded industry led to lots of investment into things like static analysis, WCET's, and automated testing of few languages or platforms they use. Embedded is one of few sectors that can benefit from most deliverables in high-assurance field as well since they structure their stuff simple enough for that vs piles of Linux, containers, bloated apps, etc. The innovation happens outside of the coding mostly. That's why the coding keeps the quality that engineers intended to put into it. :)