Without doubt, there'll be either known or currently unknown, unreported, undivulged or unrealised vulnerabilities and viable attack vectors in the current range of IoT connectable alarm systems - all generations, as threats never really disappear they just evolve and mutate over time.
Attack vectors against individual stand-alone installations on their own are relatively low, but only through their relative obscurity on the internet and limited ability to identify individual locations based on purely the ISP's host DNS identifiers. Meaning if you found it's presence on the internet it would be much more difficult to identify the actual physical site location without access to ISP documentation/systems. But still the potential to make the system at least unavailable from legitimate remote access would be a trivial matter that would require minimal knowledge.
Where as any alarm systems that use a manufacturer's central servers/services to aid remote connectivity by mobile phone apps for example (eg to remove the requirements for the installer/user setting up of host to dynamitic dns services) are prone at the very least to denial of service attacks if the manufacturer's central system is compromised. This could result in an alarm system becoming unaccessible to remote management/reporting all the way through to possible disruption at the individual alarm system locations i.e the building alarm could be activated if the individual systems are then compromised. As long as you still have onsite manual hardware protection i.e mechanical door locks - it'll just possibly be an inconvenience - but when electronic door locks become more available/common and these themselves become interlinked to online services or internet connected alarm systems the game is definitely on for a would-be attacker whoop! whoop!