> My suspicion is that this was either a CAN saturation issue (ie - infotainment started sending a high priority message which could reach powertrain CAN) or a state management issue (ie - infotainment sent a “put modules to sleep” or “wake modules” message which was not handled correctly and caused one or more modules to transition to an invalid state for driving).

The fact that this possible proves the point: OTA updates are dangerous and should be banned.

I don’t agree that OTA should be banned, but I do think that additionally restricting in-motion OTA could be reasonable. OTA which is always opt in and modal is no different from diagnostic port updates except that it cuts out the need for a dealer visit. This seems fine to me.

Yeah I am fine with OTA updates affecting anything as long as they are explicitly opt-in. I'd support mandating a physical switch that controls the power to the modem to be present.

There’s usually a fuse you can pull for the telematics/modem unit

That's exactly what I do with mine but apparently more and more manufacturers are putting the modem unit behind the same fuse that powers something essential.