For IoT Security Certification - Does For-Profit Compromise The Situation?

As you may have seen, we've been showcasing how poor  security is for many IoT devices:

We have also been pushing for some strong standards in the area, as dolls such as Cayla has managed to be sold into the UK without having any in-built security:

So UL (Underwriters Laboratories), a 122-year-old safety standards organisation who certify minimum safety standards for a range of equipment, including for electrical wiring, point-of-sale (POS) terminals and cleaning products, have now entered the IoT certification market. With were a not-for-profit agency, until 2012, where moved the business into a for-profit setup. They now aim to certify IoT devices using the UL 2900 certification, but they are refusing to share their standards with security researchers, and are charging $800 for a full set of specifications.

In the US, there are moves to setup test labs for IoT, such as with Cyber Independent Testing Laboratory (CITL). The worry with UL is that they, unlike the IEEE, are a for-profit organisation, and could lose some credibility in defining standards, while making a profit on them. Another one is that the testing will be a once-only for a new device, and devices will not be continually tested, which is a risk as the patching of IoT devices tends to be weakly implemented.