Probably no audits or pen testing performed but the Arduino library code is open source so probably hundreds/thousands of people have skimmed through the code and would probably notice something unsavoury.
I think the big problem with a lot of IoT devices is they don't use encryption for the data so details like user names & passwords can end up being transmitted as plain text that is easy for a hacker to capture and use.
Pick a MCU with built in hardware encryption and turn it on or ensure you use library code that encrypts your data traffic.