Forbes, in When 'Smart Homes' Get Hacked: I Haunted a Complete Stranger's House via the Internet, reports (poorly) on a flaw with early versions of the INSTEON Hub. The issue is that the first version of the product (which has since been recalled, and this flaw--among others--fixed) did not require a username or password to access it from the Internet. You have to go through some extra steps to make it accessible via the Internet, so this couldn't occur with the user's knowledge, but it seems that many ignored the documentation's warning to make sure a password had been set. The new version now requires you to turn on the security features when you enable outside access.
The Forbes article boarders on the silly in its tone and example, but this is a real problem for anyone who makes the home automation system accessible from the outside. In the past, it was possible to rely on "security through obscurity" but that is never a wise choice.
If you're rolling your own solution using something like X2Web or Astak Mole, make sure you've battened down the hatches. But if you're using third-party services such as Dropcam, WeMo, or Withings, you're at their mercy when it comes to knowing if strangers are able to access your devices. (And I think we can all agree that cameras pose the most intrusive risk.)