I much prefer a model where each internet-enabled device has a fixed address to a local host, and a pair of keys and passphrases used for encrypting that connection using a known-good algorithm (say, AES256) and identifying the other end, set only with physical access to the device.
Physical access itself would also need a simple key, perhaps one based on factory-fused chip ID or something.
At bootup, reset, or loss of connection, the device makes an initial (TCP) connection to the local host. The device initiates a handshake with the host, ensuring that both ends know the shared secrets without transferring any of the secrets themselves, and transferring initial vectors for use in the encryption in a secure (un-overheardable, un-replayable) manner. After this, this (TCP) connection is the only one that the device supports. (Actually, having more than one allowed local host + gateway pairs, for failover purposes, would be nicer; with TCP connection attempts coming from the failover addresses only answered if there is no current connection or the current connection is stale/timeout.)
The device only needs to expose an UART (four pins: VCC, TX, RX, GND), and one could define a simple, compact format for transferring the configuration data. Heck, a five-pin SPI might work even better (since it has a separate clock line). One could then configure such devices using an USB-UART/USB-SPI cable, or even make a dedicated configuration device for field work. Heck, it ought to be possible to combine even firmware updates to the format... As an open one, many different devices could use the same format (and therefore config devices and software).
For catering to current practices, have the devices support DHCP, and be individually preprogrammed to use some Cloud host.
Why not? Because us humans tend to be rather stupid, and equate security with secrecy, even though best security is the kind that is secure even when completely public (like AES encryption standard).