Storing security keys in flash memory is never a good idea. It becomes trivial to extract them and one of the best places to do that is in the factory where devices are made. A malicious actor could build up a database of every device you make and then use it at a later date to clone any IoT device on your network, at will. Even if the contract manufacturer is not skimming credentials, a 3rd-party actor could do it by compromising the factory machines. It may not happen today, but as soon as your IoT system becomes popular it will be a target and you will never know if it has been compromised in this way.
How can you prevent this? One could institute factory audits and attempt to lock down programming machines to keep them free of malware, or you could avoid the whole problem and not store keys in flash memory at all. This is what Afero does – we use a pre-programmed Hardware Security Module that cannot be read or cloned. This gives you confidence that your IOT devices are not compromised in your supply chain and will have a long, secure lifetime ahead of them.