There's a difference in security issues due to programming bug vs insecure design.

If an application was created without security in mind in worst case it might require complete rewrite. In other cases it might be a whack-a-mole game.

For example compare ssh vs application that simply opens port and starts bash as root. You can use both to control your server, but if you want to add security it would be a lot of work (you could incrementally add authentication, encryption, maybe restrict user what s/he can do but there will be million and one ways to escape).

After fixing one issue after another without seeing the end you'll realize it would be less work to just rewrite it from scratch with security in mind.

Security is not a feature, it is a process.

I think the parent post is talking about a design for security rather than fixing security bugs. A device or system designed without security in mind likely isn't going to get security as a priority at any point in its lifetime, or isn't going to be worked on by security minded folk. Any updates are likely going to be superficial, poorly implemented, or simply not a priority for the developers.

In regards to IoT devices, as the article is lamenting, many are designed with no security in mind and instead seem to be thrown together as quick as possible to achieve a function, without considering the implications that a security breach may have with said device. (e.g., IoT baby monitors, thermostats, home locking systems)

Because in practice, for the moment, there is a difference between "insecure" and "insecure and being exploited in the wild".