I agree with your overall point that auto code should be open to review and the "could have uncovered" buys the EFF enough wiggle room in the headline -- but it just seems extremely unlikely that it would have been uncovered.
Part of my doubt comes from a financial incentive for random researchers to really spend time on bug review for Jetta wagons.. Though seeing the 20% stock plunge and following a few 'Fraud Cap' traders did provide an interesting view into a possible reward mechanism for researchers who find illegal or dangerous defects in embedded code..
There's a class of hedge funds and independent traders that specifically search out frauds to profit off of exposing their malfeasance. The most famous of this group at the moment is probably Muddy Waters Research[1].
They look for companies that are trading at suspiciously high prices relative to their peers and then try to figure out why. In many cases lately, their targets are Chinese companies that "reverse-merge" with companies that are already listed on US stock exchanges. These companies are often partly or mostly fradulent and the "Fraud Cap" traders take large short positions and then publish their research to make immense profits off of the cratering share prices.
Their methods usually start with pouring over financial records but often involve boots on the ground too.. In one case, they hired people to literally count every truck that came and went from a factory that was claiming much more business than it was actually doing.
It's a fascinating part of the market and I think a net 'good' in the scheme of things but I think it'd be interesting if hedge funds started deep dives on published code in an attempt to profit off of security holes or intentionally dishonest emissions controls..
Part of my doubt comes from a financial incentive for random researchers to really spend time on bug review for Jetta wagons.. Though seeing the 20% stock plunge and following a few 'Fraud Cap' traders did provide an interesting view into a possible reward mechanism for researchers who find illegal or dangerous defects in embedded code..