Ugh... There are soooooooo many edges, and the problem is that while you must get 500 things right to be [more or less] safe, you only need to get one wrong, and be unsafe. I daresay it is even impossible to list all things to be aware of.
Certainly, there are some things that are more important to Joe Average than others, but none of them is true "security theater", and you cannot really say that there are things that don't matter.
Most network protocols are just plaintext, but some do encryption (a satellite link or 4G/5G would be examples). This prevents a random loser from performing the most basic sniffing attacks, but it is somewhat limited and it only works between two nodes (e.g. your "internet box" (fiber modem/cable/DSL router, whatever) and the provider's satellite, base station, DSLAM, or "whatever box"). It however does provide a little, actually not-so-bad layer of "fallback" security in case you don't get the next paragraph right.
Why am I saying actually-not-so-bad? Well because although we conservatively think in terms of "the whole internet and everybody on it is malicious", in reality that isn't so much the case. Reading/intercepting your traffic at ISP or IPX level is something that the average criminal, and even the seriously experienced criminal are normally utterly unable to do, and it's something that "doesn't happen". (Yes, I am aware of governmental organizations which do this thing systematically and routinely on a large scale, but that is beyond the point. I'm talking about criminal criminals, not legal criminals.)
Unluckily, sniffing and tampering messages is by far not all one can do.
TLS ("https://" or "green browser button thingie") is the one basic defense that prevents someone else who is not inside or near your house (possibly thousands of kilometers away) from reading your communications, intercepting/redirecting them, and changing their contents. This is an end-to-end encryption (and authentication), and it is the most important thing for Joe Average. Why? Well because it prevents me from reading your stuff, and from deceiving you into believing that I am your bank and telling me your password along with transaction numbers (which I'll use to steal your money). Your secrets remain secret, and I cannot pretend being you.
Again, we see that there's more than one side on the coin. Encryption is nice, but alone by itself it isn't sufficient.
Authentication should be considered just-as-important, and in some cases maybe even more important. Because, well, as long as both sides can verify that exchanged data (say, a bank order) is indeed authentic, it sure is "annoying" if someone can read it, but nowhere near as troublesome as if a criminal was able to pretend being you and doing transfers in your name!
Note that authentication only works reliably (barring the possibility of someone subverting the certificate chain) if you actually read what's displayed in that badge, too. Everybody can enable TLS on their server, and everybody get a certificate and show a green banner. That, by itself, doesn't mean much.
While I personally disagree on the common "encrypt everything!" ideology[2], for anything that matters, i.e. anything where personal data or passwords, or non-trivial transactions are involved, TLS is a must-have-no-choice measure if a continuous, happy life is on your to-do list, and for most people the first, most important thing. But it's nowhere near the only consideration, or the only important one.
Actually, sometimes TLS is not end-to-end because sometimes you have root certificates installed on your computer (often the case with "enterprise" equipment, and happens with schools) so there exists a group of people who can, with arguably legitimate (cough) interest read, and modify, your traffic. No, you will not even notice that this happens, you have no way of telling. So, that's one thing to keep in mind and be wary of when e.g. using an enterprise laptop or being asked to install some stuff on your device by your kid's school (or such). Completely, entirely subverting the whole working and purpose of TLS is possible, and being done (usually without users understanding the implications).
Note that TLS also does not truly work as-intended for "everything", at least not in an end-to-end fashion. For example, many e-mail services nowadays optionally support TLS. But while you may think that's just perfect and good enough, it is only end-to-end between you and your mail server. The "real" end is somewhere else!
The message is stored in plaintext on the server, and possibly (likely) transmitted in plaintext to another mail server, and you do not know whether the other person sending/receiving your emails is using TLS (since it's an optional feature).
If you want true end-to-end encryption (which still discloses the fact that you sent something to a particular person), you must use yet something extra, such as PGP/Enigmail/Autocrypt. Which sounds easier than it is because sadly, the available software is all but user-friendly and all but mature, at least if like most people, you use a Windows computer (e.g. no progress after 4 hours when creating a key, or management program throwing assertions every 5 mins). It admittedly works much better under Linux, but unluckily, to many people "Yeah, just use Linux" isn't a valid option.
Wifi security itself has many aspects. For example, you may worry that someone uses your internet and steals a little of your bandwidth. But that is actually only a very insignificant, little thing compared to your provider canceling your contract, or getting a cease-and-desist for stuff tracked back to your IP address (maybe you contributed to a DDoS or work as relay for a botnet?), or police kicking in your door because something highly illegal was hosted on your home network and distributed on the web (think typical "darknet stuff", child porn, weapons, whatever).
It is also a rather small problem compared to the fact that someone using your Wifi is in fact using a "local network" computer. Which, as a very smart default in some operating systems, is given a lot of trust, including the ability to print and share files, or much more relaxed firewall settings in general.
A local computer usually has no trouble completely reconfiguring the router using e.g. uPnP either. Because yeah, it's local, so it's trustworthy, right. And uPnP is great, so we have it enabled. Plug and play is great already, my USB stick and my mouse works that way. This one is even universal, which sounds like it is even better. So let's leave it enabled, it was enabled by factory settings anyway, and Windows even runs a service for it, they know what they're doing!
Apart from being just outright "disturbing", a local computer further (usually) has the ability to access and thus test every device on the network (including computers, but also e.g. printers, television sets, or some refrigerators which, too, are computers) for exploits. This includes some really stupid default passwords like "0000" or "admin". Which, believe it or not, many present-day devices still have per factory setting, and for which probing malware (e.g. Mirai) is readily available. All you need is a foot in the door.
Bah. Humbug. What avail if someone manages to hijack a few IoT devices? It can't do any harm! Well, that may be what you think...
That's why one doesn't leave a Wifi network open. At the very least, if you have no better option, you should set up a significantly long/complicated WPA2 password and completely disable WPA/WEP (which, for a reason I don't understand, are still widely supported, and enabled?). But it doesn't stop there. Wifi (at least the flavor that you are likely to own) is not built for fulltime hardcore network admins, but for end-users, including your 80 year old mom. Which means it has features that make it more mundanely usable, such as "press button here". Which also means, unluckily, it is a lot more vulnerable in general. Some Wifi routers have a "restrict to known devices" setting of sorts, which I deem a reasonably good idea to always enable, except during the 5 seconds when you bring in a new device for the first time. That still doesn't protect against some exploits, but it prevents the most stupid insecure-by-design problems, and there is only so much you can do. At some point, the only thing you can do to increase security is not to have a computer at all.
But it doesn't stop there! And you just thought you were safe.
For example, if your Wifi devices support PMF, you likely want to enable that. Why, what does it do?
Suppose you have a bunch of security cameras connected via Wifi, and I'm a burglar who doesn't like video footage of his breaks. My personality rights, you know. So what do I do? I can dig a hole in the street and cut the power cable (or climb up a pole, depending on where you live). But this is easily noticed, I don't want to be seen, nor do I want neighbours to call in the power outage. I can set up a jammer which brutally kills off the 2.4GHz band. But... everybody in the neighbourhood will notice immediately, and I don't want attention. So what do I do?
I invest $20 in a deauther, which is a credit-card-sized mini-computer that listens for frames on your SS (your "WLAN channel"). It then sends, for every device seen, an "I am going off, please deauthenticate me" message to the Wifi AP tagged with its address. Poof, offline they go, all your nice cameras, and nobody even noticed! Your neighbours won't complain that their WLAN suddenly isn't working, either (in fact, if channels overlap, it might work better). It's just you who has been cut off, cleanly and silently. Turning on PMF prevents that from happening.
Unluckily, not all devices support it at all, and on those that do, you often have to search quite a bit to find the setting (which is, of course, by default disabled).
Coming back to the original question:
In the light that I can (probably) disable your video surveillance, completely, and instantly, without giving away a clue, using $20 worth of equipment. Do you think that one can justify saying "Security measure X is more important than this one."? On the other hand, seeing how I could withdraw all money from your bank account, do you think one can justify saying "This one is more important than Y."? I don't think one could say one or the other. They're both equally important, in different situations.
Do you think it is justifiable to call it "security theater"? I don't think so. One measure is useless without the other, criminals (or "bad people" in general) will just use whatever opportunity they're given.
Only paying attention to every component will give you a reasonable level of protection, as the likelihood that they find an open opportunity is much lower.
And yes, of course even when you do pay attention you're not 100% safe even if you never did anything wrong in your life. Because, hey, you might have a backdoor built in your router without even knowing.
[1] Note that "VPN" is a bit ambiguous as there exist a multitude of VPN providers who sell... uh, I'm not sure what they sell
exactly. Actually what they call "VPN" is really more like a proxy. But apparently, you can find people who will pay you for that.
[2] Really, I don't care if someone can see what I type in Google (them being the actual problem, not the random hacker!), nor do I care if someone could possibly see which particular URL on a server I visited, or what pictures I looked at. Nobody wants to know anyway, nobody cares, and I don't care if they do. Weighing this against the extra power consumption and added delay, plus the immense trouble of setting up a transparent web proxy (which was a total no-brainer 10 years ago!), this is one thing that I really consider "security theater" going totally overboard. But alas, that's just my opinion, and I guess it's the price that you just have to pay.