Having designed, built and supported multiple systems for a few large 100+ site corporations, to say it is not a big deal to really separate networks, is in no way accurate. If you think it was the same cost or straightforward in any way, you didn't put together a good system.
The security industry is not any better than any other industry at their own security.
When a company has security holes in products that they do not close ASAP for what ever reason they voluntarily contribute the risks we all bear in this society and specific industry. There are *many* guilty parties in this list, not just the recently published ones...
Marketing and Sales goals trump Engineering in product design more times than I can count. Physical Security overall is one of the first generations of an IOT industry which has a horrible reputation so far as I can see. (to me every remote camera, motion sensor, door alarm, lighting controller, etc.. is a member of the IOT world, whether they physically attach via Zigbee, IP, WiFi, RS-485, etc..) If it can be managed it can be mismanaged/exploited.
It is INCREDIBLY hard to do this separate network isolation well. I have tried it at various levels with many folks smarter than me and always found the results expensive and still wanting.
Security is still the inverse of convenience and always will be by design. The tools for making security effective and manageable across the board and across multiple platforms have not been created yet and maybe not for a while if ever. Security is a process, not a product, but people want to BUY products from people who SELL products. That isn't actual security, IP cameras or not.
The trend towards *AAS isn't security either, that is just selling a different product yet again. IT has had this sort of centralization/decentralization cyclical environment since before I was borne. Security is the same as a part of IT. (IMHO it always was, but the "I" was analog video, so it was counted differently, but it wasn't really different then either.)
It might be that the data center hosting things is physically more secure, but notice that nearly all of the recent breaches have been via data housed in large data centers. It wasn't on a SOHO server in a plumbing company office. *AAS is just a revenue contract for profits so far for most vendors. They do not in general deliver a better overall value than in the past. They just found a new way to create vendor lock-in with contracts instead of proprietary feature lists.
Accountant types like it because the costs are predictable and known in advance. That doesn't inherently make the product good or effective/reliable. They aren't as dependent on needing particular skillsets in staffing.
Until the customers take their own Security stuff seriously and demand the vendors work together to provide tools that integrate, are manageable and provide the needed levels of security and business function for reasonable costs, I do not see this changing.
This data infrastructure we seem to be deploying as a society of humans, has a cost that is rising along with it's perceived value to others (good and bad). This is regardless of the fact that the costs of an IP camera network is falling like a rock while the pixel and storage count climbs to the sky. (another Process vs. Product example)
Jon does a great job with products, but the process problem is not so simple. it also is depended on us as customers and us as vendors. When the most important measurements are things like market cap, stock price, quarterly sales figures, dividends, executive bonus amounts, market share, etc... No wonder security is so awful across the board...
Too few organizations and more importantly too few people really care about it enough to vote with their wallets in either direction... As Vendors we have little incentive to listen to anything else since ALL of the employees bonuses, stock options, etc.. are based on lots of things, but product security is not usually one of their measures.
You can say the market will reward those who get it right, but I say it will not most of the time, because the buyers do not generally select the path that is in their long term best interest. Buyers are generally measured by the wrong metrics as well, so until the metrics for measuring security are a significant part of the valuation for salaries, bonuses, contract extensions, future orders, etc... I do not see how this can change.
After living in my neighborhood for 15 years, I finally can see only a few homes with open WiFi routers... No matter how much we tried, folks just didn't get it... It only got better when the router vendors shipped things by default secured and forced folks to learn a little bit more than they wanted to hook up their latest gadget. This made at least a tiny step towards security as a process.
So despite the negative tone this started out with, I think there is hope, but not until the paradigm shifts. Denying the difficulty, responsibility and complexity required to solving this is just perpetuating the myth...
Never say "...it doesn't matter because..."... It does matter a LOT and so make them fix the stinking security holes and do not accept ANY excuses from ANY vendor.