The fix is not easy but it involves decentralizing certificate issuance + IPV6. Every network need a unique domain name system using a tool like namecoin or ethereum name project. So you’d have something like ipphone001.iotdevices.youruniquehouse.tld pointing to your unique IPV6 address. Instead of a centrally issued public ssl cert you’d store a cert in your dsitributed DNS system. Now you can go to ippohon001…. and get to your IOT device and allow it to be only accessible on your local network still.
By moving to a global addressing scheme for IPs so every IP is unique, and taking the problems of centralized DNS and SSL certification you open up the ability to truly have SSL everywhere.