So ... using modest imagination and not detective work as there's insufficient information and at a distance of thousands of miles ... they might have been running something Really Secure (TM) as their OS, but put a Virtual instance of something Not Secure (no trademark necessary) to run a vital piece of legacy software. It would explain an original WannaCry, and the quick recovery. Only 24 hours, so no Karōshi (過労死).
It's been alluded to before, but perhaps the automotive IT people did prevent WannaCry by turning off some OS service. Perhaps they even compiled a batch / registry file to ensure that all unwanted OS services were still turned off after an OS update. Perhaps said update happened unexpectedly. Perhaps nobody was there to disconnect networking while the update was in process. Perhaps Coupling.