I think that's the crux of it.

Obviously, "software update while traveling at highway speeds" is just rolling too many drama dice.

OTA is fine. Ideally parked, or minimally A/B on the firmware, new version only run on next startup.

I didn't read too deeply but I bet the drivetime failures were because the issue manifested after the vehicle started operating. A rolling FOTA update seems like it would not be certified and would be harder to implement anyway.

This would also mean the A/B failover would need to identify the problem as a bad update rather than a bug that pops up minutes later.

You're right, and I should not have implied homicidal negligence on the part of the engineers involved.

Assuming the best, it might just be an extremely rare corner case that was unknown and inadequately covered in QA.

This stuff can get complicated, and cars are the most dangerous technology that is sold to retail customers.