Consider IoT products such as Roadside Units (RSUs), which are deployed alongside roadways. RSUs interface with connected vehicles and Traffic Management Centers (TMCs). These devices are deployed in physically unprotected locations. This means that a motivated attacker can capture these devices, and analyze them for vulnerabilities.
Finding a vulnerability in one of these devices can provide information that can be used to compromise and manipulate large groups of these devices—for example, if the same default password is used across an entire family of devices.
Commercial IoT device manufacturers face an even bigger challenge. Their products are designed to be bought off the shelf. Attackers can simply go to their nearest electronics store, purchase the device, and spend as much time as desired attempting to identify flaws. They may discover unprotected test interfaces, or perhaps a vulnerability in the cloud service interface.
Either way, attackers can use this research to craft exploits and gain access to your devices.