Your argument was ‘the meter should be designed to be robust to software error at the power company’

My argument is that ’software error at the power company’ can easily cause catastrophic failures at the meter, which it stands no chance of being able to prevent. So why should it specifically be built to defend itself against the remote possibility that the master control program sends it too many on/off switch commands too quickly?

"robust" doesn't mean "immune to every possible variant". An inability to protect against the wrong voltage doesn't imply you shouldn't bother to protect it against wrong commands.

Why should it specifically be built that way? Because it's bad for devices to self-destruct with no attempt at mitigation whatsoever.

Actually, my argument was "the meter should be designed to be robust enough to prevent this particular issue".

As the other commenter stated, that does not in any way imply "robust against all possible issues coming upstream" and it would be ridiculous to expect that.

With physical hardware being operated outside its design limits, ‘robust’ can mean ‘has safety mechanisms to prevent it happening’, but it can also just mean ‘fails in a way that is serviceable without causing collateral damage’. Or ‘fails catastrophically but at least without causing loss of life’.

Which scenarios you engineer the system to tolerate with what level of survivability and serviceability is going to be a matter of engineering to budget, right?

Turning something, anything on and off a few times seems well within the design limit for such a device.

If a standing desk and shredder can handle that, then a smart meter should very much also be able to.

None of this was your original point, anyway. You instead chose to focus on a completely different and irrelevant failure case.

There is a world of difference between "voltage regulation issues might cause major problems" (your point) and "turning the thing on and off too quickly causes the whole thing to self-destruct" (the actual point).