@Bas Scheffers
I think they chose a different kind of "Cheap", since the transponder is already an independently power gizmo, range is assured and cost is already a goner. I think they chose "Cheap" as in "This Hi School Kid doesn't charge much".
(Which is also the level of competence that forgets the code-protection bit.)
To be fair to them, once the black-hats came into play it was a fair bet that the any symmetric keys in the firmware would be discovered, any bespoke crypto function would be analysed and even small asymetric keys might have been factorised.
But that doesn't excuse them from making such a piss-poor effort. It would have been trivial for the transponder to broadcast the time and place of it's previous authentication as part of the handshake, and that would have raised the bar much higher for an attack.
I'm now jacking in my lucrative consultancy career to start tendering for government projects. Don't tell anyone but I'll just sell them the Fischer Price version, in a slightly less sturdy box.