IoT devices with public IP?
Whilst such devices shouldn't be directly exposed, it can happen and not just through sloppy setup or UPnP.
A compromised router, internal malware, driveby malvertising, etc. could all create a gap into the internal network.
In addition, it may happen occasionally that changes made to otherwise secure networks may inadvertently expose internal resources. This is especially likely when people start experimenting with IoT.
Finally, it is possible that consumer devices come with a vendor supplied Internet service to get a "secure" remote connection and that may not be properly secured. For example, many NAS's come with a way to access them remotely without having to create inbound firewall rules. The NAS connects to a vendor server and you also connect to that when remote via some web service or app. Many consumer IoT devices come with similar services that allow access from mobile phones (remote lights, heating controls, etc).