It's not good that they allow anyone that happens to be in your car briefly root access. It'd be live having an always-on laptop in your office with a open shell on it.

They should have provided some mechanism for the real owner to approve updates if the updates aren't all trusted by default.

Surely due to incompetence rather than hacker friendliness though?

Otherwise they would have had something like an unlockable bootloader where you need a special key to unlock it, or something difficult to access switch or something like that.