There's one critical point that Mr Inglis has missed. Cars and software are very different things. If he'd narrowed it down like "Software to manage critical safety functions of cars" should work like car safety recalls, or "Software to manage medical devices", or "Software to manage financial data where the financial exposure exceeds $100,000 per month", he might have had a point.
Tarring avionics software with the same brush as a suduku app on my phone with the same brush is a disservice to the industry, the economy, and to the information age.
A US national cyber director should be familiar with the concept of risk; the product of the impact, and probability of an issue in software, and issues with my suduku game should be treated the same way as car safety recalls.
Now in fairness, this isn't a US specific problem; we have this problem in the EU as well with the likes of the cookie law; laws written by politicians and lawyers, without the insight of engineers and subject matter experts who better understand the problem that needs to be solved.