Because they probably paid some contractor to design it and requesting this as an update would be expensive. Most likely some director doesn't think it's worth the money. Furthermore, the security team / one random guy who is now told to handle security duties after they got that e-mail most likely has an IT background and thinks reverse engineering embedded systems is impossibly difficult.
It would only be done if the press started publishing clickbait involving "THIS TOY IS WATCHING YOUR CHILDREN!!" as most IoT security not done by the top companies is entirely reactive.
Pairing is a big paint point though AIUI, releasing this toy with the need to pair it first would probably have cost them significant numbers of returns. Not saying it's justified, but ...
Perhaps they could give away an optional tin-foil suit for furbies of owners who have security concerns!
Oh yeah, totally. BLE support on both android and iOS is lacking. Older versions of android, and I believe all versions of iOS (please correct me if I'm wrong) do not offer a programmatic way of supplying the pin for pairing. This means that when you programmatically connect to a BLE device from an app, the user will get a pin prompt. This prompt covers most of the screen so it really is a pain.
Though for the furby it shouldn't be too bad. Just display the pin on one of its eyes.
It would only be done if the press started publishing clickbait involving "THIS TOY IS WATCHING YOUR CHILDREN!!" as most IoT security not done by the top companies is entirely reactive.
Just a guess though. Never worked for Hasbo.