You can get it to turn the lights on and off, control your heating....all sorts. But then you have to connect insecure light bulbs and stuff (IOT) to the www, all of which have default passwords of 123 or ABC.
Depends on how/what you connect for that to be an accurate statement. I use Z-wave products which do not have a default password, nor an IP address, but the controller is on a raspberry pi. Z-wave are only vulnerable during the few seconds of the pairing process and even then it is very difficult to exploit and not all z-wave products are exploitable.
I have a second raspberry pi which is connected to a number of sensors around the house on the windows and doors, PIR, CCTV, etc. When the house alarm is set and one of the sensors is triggered my phone goes off, when the alarm is not set the lights follow you around the house. We have a of couple of Alexas around the house which are connected to the z-wave and the speaking smart home works ok, not brilliant yet but it is improving. I am building a new alexa for the bathroom with another raspberry pi, this is pretty easy and cheap. All the smart home raspberry Pi and Echo traffic is filtered so none of it can be used for nefarious activities even if a hacker pwns one of them. The whole network at home is monitored with the Security Onion.
An Arduino monitors the garden moisture level and waters it for me in the summer.
I have just bought a Ring and I am looking to make my own Echo Show for it and I am building a smart mirror.