In principle you can mitigate the security risk of opening up that incoming port by setting up the router in such a way that it does not allow the IoT device to communicate with any other LAN devices on any ports. That way, even if an intruder were to able to hack it, they cannot then use it against your LAN clients (it could in principle still be used against WAN clients, think botnet).
Alas, I believe this is something AirPort software does not allow you to do. IIRC you cannot set it to pull up a firewall between one LAN client and all the others. You’d actually have to resort to using two entirely separate LANs where one exists only for the IoT device and the other is your actual AirPort network for your Macs, iOS devices, etc.