Insecure connected devices can cause serious threats not just to smart home-owners, but also the underlying infrastructural network. There has been increasing academic and regulatory interest in addressing cybersecurity risks from both the standpoint of IoT vendors and that of end-users. In addition to the current data protection and network security legal frameworks, for example, the UK government has initiated the ‘Secure by Design’ campaign. While there has been work on how organisations and individuals manage their own cybersecurity risks, it remains unclear to what extent IoT vendors are supporting end-users to perform day-to-day management of such risks, and what is stopping the vendors from improving such support. We interviewed 13 experts in the field of IoT and identified three main categories of barriers to making IoT products useably secure: technical, legal and organisational. In this paper we further discuss the policymaking implications of these findings and make some recommendations.