It's the US corporate obsession with 'IP'
Quite apart from the retardedness of attempting to 'bolt-on' datasec because designers didn't think about it at the design phase, the carmakers' approach to their onboard systems is identical to banks' approaches to their client datasec (including, but not limited to, the security protocols for web interaction).
That approach centres on developing everything themselves, in order to have a proprietary system. That way, the expense is R&D and can be amortised (and/or marked up as an intangible asset).
In the software crypto world, one of the very first things that good crypto devs will tell you is "Do not try to develop your own crypto. P(you miss something critical)=1. Use an open-source library."
And yet time and time again, software firms have implemented their own versions of data encryption - the best example being Microsludge with NTLM (a really sick joke of an encryption protocol) - and it turns out that their 'roll your own' approach was vulnerable to a fundamental exploit (timing oracles, padding oracles, or any of the other shocks that crypto flesh is heir to).
Being crowd-checked isn't a guarantee, as the OpenSSL vulns from last year make clear... but it's a good deal better than having black-boxed code (often code that is badly documented - so if key members of the dev team leave, you can't make head nor tails of it).
Carmakers also know that most car buyers will never become aware of the vulnerability - journalists are stupid, power-craven and technologically illiterate, and so will repeat whatever talking points are being promulgated by the car manufacturer.
I can see it now... a 500-car pileup on a major turnpike, with cars' brakes failing to respond, and accelerators 'pedal to the metal' ; the TV news would say
<blockquote>"Tragedy today on the roads, as global warming caused electrical malfunctions in 500 vehicles. Witnesses say that cars rammed into the pileup - which began with a semi-trailer that had jack-knifed. ISIS immediately claimed responsibility, claiming that it had hacked the systems of the vehicles, however a spokesman for the White House said that this was 'clearly propaganda trying to exploit this climate-caused catastrophe' and that the event reinforced the need to ratify the Paris climate accord. Industry insiders agree: in Detroit is our Maggie BleachedTeeth with a spokesman for Ford. Over to you Maggie..."</blockquote>