A ~$25 7-day thermostat would be fine. IMO, Wi-Fi is a must-avoid, as I would consider it to be a security risk.
Can you expand on what the risk is and how it is different from using a regular password-encrypted home wifi network? I typically use a VPN while doing any financial transactions, as well.
Typical residential Wi-fi thermostats (Nest, etc.) aren't designed to be merely controlled over your LAN. Instead, they're designed to punch through your firewall and be controlled over the Internet, via the manufacturer's website. That has several implications:
- Even in normal operation you lose your privacy because the manufacturer knows the thermostat's schedule (which implies that the manufacturer knows when you're home or not).
- If the manufacturer got hacked, the database could fall into the hands of burglars (obviously the hacker and burglar aren't likely to be the same person, but that sort of information, similar to credit card numbers and passwords, gets bought and sold between criminals all the time.)
- If you and/or the manufacturer don't keep the device's security flaws patched (and it's a damn thermostat, so let's be honest, those flaws won't get patched), a hacker could use the thermostat itself to bypass your router's firewall and get in to your LAN. This applies to both the cloud service connection (host layers, over the internet) and the Wi-Fi itself (media layers, via wardriving).
There's also the issue that a plain old low-tech thermostat is guaranteed to work until it physically wears out, but newfangled "Internet of things" bullshit can be bricked by the manufacturer with little notice and no recourse.
Just to add one thing to Jack's list... (It was implied, but let's make it explicit.)
Most of these types of devices create a back door into your home network via some sort of reverse shell. In other words, it is extremely likely the manufacturer can log into a device on your network to do debugging/maintenance. To make it worse: they don't generally make a system with individual keys for every device. They make a system where they can log into ANY of a device -- usually from a central trusted location.
This means
* You have to trust every person that works there. This isn't all that hard. They're likely just doing their job
* You have to trust that their security is such that they will never be used as a pivot point and made into an attack vector. This one is a little harder to trust.
Once someone is sitting on a device inside your network, it's pretty likely they can get pretty decent access to your personal data.
The bottom line is: If you do want to buy into home automation, you probably need to seriously think your home networking. The old idea of a simple, single zoned firewall with a flat network behind it is seriously outdated. You are going to need either multiple firewalls or less "consumer grade" firewalls -- that handle multiple zones and rules between zones.