Concretely, why not? If you don't get updates, there's nothing to break the thing -- and if you don't have a network connection, you don't need the security updates.
I would be on board with this if the system was not touching the outside world, but it does every time you hook a smartphone to it or if you have an optional data network. Just like with our smartphones, there's nothing stopping a car company from pushing system-damaging updates when they want to steer us toward buying a new vehicle since that one is too outdated/no longer supported.
What you say can be true about a static isolated system, though. My employer has a Windows XP computer still running a machine in our factory. The PC was built built in 2006, connected to the Internet once upon deployment then disconnected thereafter. It has been running the software and machine more or less untouched since, receiving zero updates, performing it's duty as it was built to.
I'm not opposed to a player connected to a phone or other network, but that player doesn't need to be on the CAN bus, or any other car bus. Car speed for volume control, steering wheel buttons, lights, etc. can be communicated from the car to the player via dedicated wires (on/off, pwm, voltage ladder, etc.) like they did it in the early 2000s.
I'm happy to manually apply updates for my immobilizer as necessary. Keyless entry is already broken (recent front page) and can't be fixed via update AFAIK at least without leaving behind all current fobs. Given that it's still using a proprietary encryption scheme from the mid 80s it doesn't seem the manufacturers were particularly concerned about security to begin with.
Not likely, because they're extremely short range (one centimeter or so). The attacker would need to turn the duplicate key in the ignition exactly at the time the other attacker bumps into the owner, exactly on the correct side where the pocket with the key is, and precisely match the position of the key in the pocket with the antenna in the attacker's pocket/bag/whatever. And if the key is in a handbag, then good luck trying to get a reader close to it.
But then, how would they get a duplicate of the ignition key?
Since at least 2009 it has been possible to duplicate keys using photography, a hobbyist replicated the work in 2018. So take a photo when the keys are out somewhere; on a table, or when unlocking the car.
