So many great questions.
How many resources are put into ensuring the cameras have the best posibly security features and are exhaustively tested for security vulnerabilities?
In general, just as many resources are put into any other network based product. No vendor wants to see their product in the news and no vendor wants to violate the trust of their customers. Secure network products are in the best interest of the vendor.
The other part of this answer is: it depends on the vendor. A lot has to do with the product management and engineering culture within the organization. I'd say if you want to increase the chances of getting a product from a vendor that cares about security, choose an established brand. They will likely have more at stake and get more scrutiny from their other large customers in order to win big projects.
How often does some dodgy character unscrew an external IP camera, plugs in the Ethernet plug into a laptop and sniffs around to see what they can find on the internal network?
I think, not often. Other easier avenues into your network are likely to exist. Your network's wifi is most vulnerable. Also social engineering, or introduction of a virus/back door via more common systems on your network (for example, your windows PC). Finding a network port via an external IP camera is a very specific type of attack so it's just not going to happen as often as other ways of accessing your network. You can protect yourself by setting up a network segment for the IP cameras that does not give out IPs via DHCP, or that requires 802.1x based authentication for network access.
How do you determine if an IP camera has excellent or only average security features and if it's possible to find out how well they have been tested for security vulnerabilities.
You can always ask the vendor. They should have material designed to address security concerns about their products. You should look for third party assessments (like what might be possible via IPVM). You should ask them about their testing as well as their patch and update process.
What do you do to keep your IP systems secure?
Well, as an IP system one needs to do all the same things one does to keep any network secure. There's a long list of best practices, products and tools, and no shortage of material to help you secure your IP network from attack.
For IP cameras you should get some security vulnerability scanning software and scan the cameras and recording systems. Read up about how to use these tools and see if you can apply them before buying a particular product. Ask the vendor to patch any critical vulnerabilities you find.
Since you seem concerned with the IP port itself as an attack vector, look into 802.1x and be sure to partition the security system from the rest of the IP network.
Is it too far fetched to consider unplugging IP camera systems from the internet?
No, not at all. The safest system is one that doesn't communicate with any other systems. It diminishes the utility of the system, but if you really want to keep it secure, don't plug it in.
Do HDCVI camera systems have an inherent security advantage over IP camera systems with only the DVR being at risk from outside attack?
Non IP cameras (like analog or HDCVI) would reduce slightly the vulnerability footprint of the system. The question is, by how much? If your DVR is on the network then it's still a candidate as a vulnerability. But your IP cameras don't increase that risk by much in and of themselves.