Re: How I would program it...
Making the OBD port inactive when the immobilizer is active is a bad idea. Early Peugeots and Citroens with Lucas diesel injection were like this and it meant that if there was any fault with the immobilizer system that the diagnostic tool which might tell you what the problem was, would not connect.
BMWs bleating about the standard OBD protocol is also bogus. The standard mandated protocol is limited only to reading emissions related fault codes and data from the engine ECU, there is nothing in the standard about ABS, transmission, airbags, or immobilizer systems and the manufacturers have all defined their own protocols for these purposes. The only requirement for such a proprietary protocol is that it doesn't stop the standard one from working, so a different destination address in the packet headers will acheive that.
Once you have defined a non standard destination address you simply put your own crypto and authorization on the top, in the packet payload, and for reprogramming of immobilizer key codes, you should certainly do this. With many manufacturers the car is supplied with a special code which the tool will need in order to authenticate to that particular car for security related processes. If you loose the code then you have to get it back from a dealer and for that you will need the registration docuement and proof of ID. Just don't leave that piece of plastic with the code on it inside the car....
It would seem that BMW have used a universal code rather than a vehicle specific one, or have encoded it with something that a tool can freely be read out, and that this algo has been cracked.
The solution for this is for BMW to rewrite their immobilizer firmware for every BMW that's affected, and then offer all owners a reflash. Normally these ECUs have a way update firmware using the same OBD port. They may also need to find a way to stop theives simply rewriting old vulnerable firmware back, such as adding some security into the reflash protocol.