But at that time worms, ransom ware, hacked internet routers, etc where unheard off. Making something possible from a technical point of view doesn't mean it is a wise thing to do.
That you are quite mistaken, actually. IPv6 was formalized in 1998, at that time we had stuff like the Morris worm, CIH, OneHalf, Happy99 worm. Melissa worm appeared in 1999, ILOVEYOU worm in 2000, 2001 brought Nimda, Sircam and plenty of other such self-propagating plague. Spam and hacking attacks were also completely routine.
That we didn't have hacked home routers and ransomware doesn't mean that internet security wasn't a major problem already, especially with the millions of Windows PCs that have just gained Internet connectivity back in that era and had more holes than Swiss cheese.
Also, why do you think IPv6 originally included IPsec as mandatory if not for security reasons?
I personally wouldn't be worried by IPv6 stack being a security hole - by itself it cannot do that much. If the rest of the system is decent, it wouldn't be any more a security hole than an IPv4 stack. A more relevant question is whether that IoT device will have useful life long enough to actually see the rollout of IPv6 in its intended application. If not, then it is a pointless exercise and waste of resources. Right now it is still really rare to see consumer electronics to support IPv6 meaningfully, including things like domestic routers and such - many don't support it at all (!) or at best can handle packet routing and DHCPv6. So if OP is planning to rely on some of the more advanced features of IPv6, they will likely be very disappointed and face nightmarish support issues due to all kinds of broken hardware out there.
Autodiscovery is still best handled using things like Zeroconf or DNS-SD, regardless of whether the device uses IPv4 or v6 - you will likely want to configure/advertise more things than only an IP address and DNS. That is where Zeroconf or DNS-SD shine, literally allowing to advertise and discover every coffee machine in the building.