You have to weigh the risks of manipulating cars one at a time because they don't have the latest updates with the risk of manipulating all cars at once because they can be remote controlled. A more expensive alternative to over the air updates is requiring regular updates done by a mechanic, e.g. when the vehicle is due for an inspection.
I don't really think OTA updates is the problem, so much as the automatic application of the updates without owner awareness (or consent to possibly significant feature changes). Preventing OTA is not the same as preventing remote control -- vehicles WILL be networked, if only for collision avoidance. OTA could be very useful if a bad exploit becomes widely available -- like a protocol bug in the V2X network that lets you crash the V2X module. Many bugs are discovered after being in production for years.
If you allow users to approve and roll back updates then there is some ability to recover after bad updates. Of course, you don't want theives to be able to roll back to a vulnerable release, but you can require the master owner key & code for rollback.
