This paper investigates the problem of secure localization where the device vulnerabilities are used to perform adversarial attacks in the Internet of Things. Compared with existing work, a practical vulnerability-induced adversarial attack model is considered, where a malicious user is able to make use of vulnerable nodes to launch attacks, which may destroy the localization services or cause private location information leakage. To address the above issue, the Quality of Security (QoSec) is introduced to quantitatively describe the capability of anchor users to provide secure data. Based on the maximum path attack probability, the QoSec is calculated by taking into account the attack value, social value and device vulnerability. Furthermore, from the perspective of the anchor security assessments, this paper designs a Secure Localization (SLoc) algorithm through selecting the anchor users with high QoSec values. Theoretical analyses are performed to prove that the SLoc algorithm is secure, correct, and accurate. Experiments and simulations are conducted to demonstrate the superior performance of the SLoc algorithm and validate the analytical results.