Does broker in your case can mean two "kind of" different things, a normal XMPP server and an XMPP pubsub server? In pubsub, subscribers do not necessarily ever contact to the publisher nor publishers contact subscribers, but only to the broker, so it could perhaps be clarified a bit more.
"As devices all connect to a message broker, external entities cannot connect to the devices, unless the message broker authenticates the device and authorizes its relationship with the original device."
"XMPP also adds a security mechanism whereby clients are authenticated, and the broker also makes sure each client sending a message to another is authorized to do so."
So, maybe you could explain shortly security (at least access models) of XMPP's pubsub, I think that above sentences do not contain enough information about them.
I would remove words "very" or change them (as also other fillers words)... "Very" does not tell you much unless you explain the difference of, e.g., very powerful and powerful.
Otherwise, really interesting case and paper!
BR, Teemu Väisänen