That is an answer, except consider the situation where a flaw is detected in the manufacturer's code. The cost to fix is to replace the entire chip. Which is fine, from a process standpoint, but these cars are going to be competing with other cars in the market and will have a higher "service cost" and that higher cost will dissuade people from buying (because historically less than 5% of the market is willing to pay a higher price for something that is "more secure").
So while I agree with you, unless it were federally mandated for all cars, the ones that didn't do it would have lower cost of ownership and get more buyers.
The buyer pays about $600 extra for the "Internet-enabled" version of the car. It's an option; you don't have to buy it, and, after this, probably shouldn't. If you didn't buy it, software updates require a dealer visit. I have a 2007 Jeep Wrangler with no external interfaces, and it's been in three times for software updates for basic automotive functions, such as stability protection and engine restart.
Cars go back for recalls all the time. Having to physically replace a part isn't a big deal. Dealers have a supply chain in place for obtaining parts from the manufacturer.
It's an option; you don't have to buy it, and, after this, probably shouldn't.
Unfortunately, at least for some cars, all these options are bundled together in packages. Unless you buy the base model, you'll get the Internet as part of a package of other features that you want.
I think that nowadays the better answer would be to go in and physically rip out the cellular antenna. Easier said than done.
I don't think they implied that the chip should be read only, you should still be able to have a flashable firmware of some sort.
But instead of giving this chip which should be read-only regulated by software direct access to the bus, route it through a bit of extra on board circuitry which physically prevents it from writing data to the bus. This would enforce the readonly client in hardware, not firmware.
Sadly CAN bus doesn't have that option, although I suppose you could put a MITM sort of device which rejected any write packets. Could be an interesting gizmo to market to car makers.
So while I agree with you, unless it were federally mandated for all cars, the ones that didn't do it would have lower cost of ownership and get more buyers.