> Toyota couldn't push out a fix. They had to issue a recall and have a technician update the software whenever that car ended up being serviced.
This gives all the more incentive to get the software correct in the first place. The model of "get the software as bug-free as possible upfront using stringent processes, testing, formal methods, and not using software in the first place when it's not actually needed" is better than the model of "put software into as many components as possible to make it shiny and get the software good enough to release before our competitors and play whack-a-mole on the bugs later through updates". Instantaneous updates make it easier for an attacker to take control of the update infrastructure and push an update that will trigger a mass-crash of cars during rush hour. When people have to asynchronously take the car to dealerships over many months, it makes this attack harder to go undetected.
This gives all the more incentive to get the software correct in the first place. The model of "get the software as bug-free as possible upfront using stringent processes, testing, formal methods, and not using software in the first place when it's not actually needed" is better than the model of "put software into as many components as possible to make it shiny and get the software good enough to release before our competitors and play whack-a-mole on the bugs later through updates". Instantaneous updates make it easier for an attacker to take control of the update infrastructure and push an update that will trigger a mass-crash of cars during rush hour. When people have to asynchronously take the car to dealerships over many months, it makes this attack harder to go undetected.