A Secure IoT device – Is it possible?

Sure it is, you just need a significantly reduced software stack, like an embedded device. Harvard architecture, where the code memory and data memory are completely distinct, also helps by eliminating many (but not all) classes of vulnerability.

For example, take a look at esp8266, which is a $2 wifi device with 1-16MB of program space (FLASH) and 80 KB (that is 0.08 MB) of RAM. There are no "remote execution" vulnerabilities there [0] -- just "DOS" and "bypass wireless encryption" ones. In general, for IoT, you encrypt all traffic and you do not trust user's networks anyway, so it should not matter that the network packets can be intercepted.

For more protection, you can use Wifi co-processors [1] -- then even if your wifi co-processor is completely compromised, the worst it can do is to monitor/change network packets, something that we know how to handle already.

[0] https://nvd.nist.gov/vuln/search/results?form_type=Basic&res...

[1] https://www.wiznet.io/product/wifi-module/

Yes. There are enterprise grade IoT devices that are managed remotely, get patched, have firewalls and role based access controls. The low end devices are a function of profit. People want to make a cheap throw away thing, toss it over the fence and make money. There are no laws requiring them to care or to eat into their perceived profits.