The people who could control updates - the users and the manufacturers - are not the people suffering from DDoS attacks. Even if someone else can do the work, one of those groups has to approve the update, and they've got no incentive to do so. Unless you create a new government agency that has the keys to update any IOT device. Luckily that's unlikely to happen, because government control of cameras inside your house does not sound like a great idea.

Also, it would still require a massive effort, because to be effective, you have to find and patch the security holes *before* malicious actors exploit them; as Matthew mentioned, competent attackers will disable update mechanisms if at all possible.