Authentication is something that does need to be solved, that's true, but the device is authenticating to the cloud already, I can promise you any bad implementations that would have happened in a local API is currently in the authentication against the cloud-based management solution instead, it's just less obvious.

Security by obscurity is another phrase for it.