This paper presents a comprehensive Systematic Literature Review (SLR) focusing on graph-based security and risk assessment approaches for IoT systems, utilizing a comprehensive taxonomy. In addition to elucidating IoT fundamentals and principles, we offer an expansive framework with a specific emphasis on graph-IoT-security concepts, contributing to the systematic organization of information. Unlike existing reviews, our focus is explicitly directed towards using graph theory for security assessment. Moreover, no systematic literature review has been conducted to specifically analyze security assessment approaches of IoT systems using graph methods, excluding other theoretical and applied techniques. The objective is to describe, synthesize, and compare security developments in IoT from the perspective of various research questions. To the best of our knowledge, this paper represents the first SLR that concentrates on graph-based risk and vulnerability assessments. The primary objective of the SLR is to provide a comprehensive overview for researchers to identify attack graph or attack tree-based approaches. We delineate the IoT paradigm from a security perspective, highlighting various types of attacks detected by graph-based techniques. Furthermore, we present a comparative analysis of existing graph-based security evaluation mechanisms designed for IoT under various metrics, such as procedural performance, runtime, complexity, and other algorithmic overheads. Finally, we reveal issues and challenges regarding open problems that have not been considered and addressed in existing studies.