Things are getting better, slowly. Remember the Chrysler vulnerability of a few years back which allowed root dbus calls directly from the internet with a default password, so that anybody could crash a car remotely?
Computer security as applied to the automotive industry is now being taught at the University technical colleges in the UK, so some cars of the future (e.g. JLR) should at least have better authentication and a chain of trust. But how much of this software development is being guided by this when the cheaper programmers are elsewhere in the world and the directors think that sales depend on features/benefits more than security?
The problem here is that most of these attack vectors involved hacking the manufacturer and getting hold of the credentials from the inside, so it doesn't matter if you have a strong password, trusted certificates or even blockchain tech, people get to your car and account through the front door with that.
So it's more a matter of if, rather than how, hence the PR efforts to prevent widespread panic about car security.