If I decide to go with HTTPS I need to buy an SSL certificate for each device, don't I?
No, you can create one with GPG/Kleopatra, if you want you can also install it in your browser as a trusted cert (otherwise you get the red unsafe message asking you to continue, but is fine too). You only need to purchase one if you want to give others that extra layer of trust (you are verified by VeriSign for example). Your own cert is perfectly fine.
How is it possible to "take control of a different device" using mine? I really don't understand how this is possible.
Not necessarily another device, but if your ESP is controlling some hardware, vulnerabilities in your code could allow an attacker to possibly disable, modify, or destroy the equipment being controlled by it. If your device has OTA updates supported and someone can upload custom firmware, then it could be used to attack other facets of your network (highly unlikely, but is possible).
But, even if this was not the case, anyone can open a port on its own router to access the web page from the outside.
Sure, but you could also deny requests from IP's that are outside of the local subnet, or require them to enable allowing external connections in the settings/white list. I use Ngrok sometimes which gives me an external https portal.
Actually, my device is connected to the Internet just to retrieve the current datetime from an NTP server.
Yeah that is fine, your device is creating the requests, not accepting external requests.
Nothing can ever be 100% secure, it is up to the designers to decide when what they have is good enough based on the value of what the data/systems can do or access.