Great post - thanks!
Note that unlike "classic" CAN, CAN FD and (particularly) CAN XL allow the implementation of authentication and cryptography.
Sorry, but that sounds like marketing wank to me. You can absolutely autenticate/encrypt the data on CAN and CAN FD, and you SHOULD in certain cases, such as if you're using the bus to pass sensitive data. Infact you can't simply reprogram an ECU over UDS, you need to autenticate yourself first (for many ECUs the keys are known and can't be changed, but for most of the recent ones it's another story..)
Every case of car thievery due to abuse of the CAN bus was because of abuse of the CAN bus and other fundamental deficiencies in the system's design.
For example, in BMWs you can start the engine and monitor the bus at all times. This is a great feature for mechanics as they can automate some procedures. Also a great features for thieves as they can trivially pick the door locks and start the car and go away without ever needing the key. Even better, if a bus line is accessible from the outside and you can talk OBD on that bus. This was ultimately corrected in the latest series (later F, G models) in which the OBD port bus is dedicated and if you try to put an extra active transceiver on the bus (doesn't need to communicate) without having the key around... you have 30 seconds to get the key!
Problem was not in CAN bus per se, but in the lack of authentication that was later added in software.
All those hyundai, mazda, etc that have the radio connected to the main canbus line, and said radio provide an in-car wifi, and said wifi is advertising and unprotected? Seems to me the problem is not in the use of CANbus for the radio
The Toyota issue described here, toyota decided it was a good idea to put the authentication on the same bus as other services, in this case the headlight. They also made the connector accessible from the outside with no physical protection other than a flimsy plastic cover you can detatch in less than 10 seconds (instead of say, having to remove the headlight because a solid piece of metal prevents you from detaching the connector when the light is in place. And as far as i know, they didn't even change the authentication code to let the ECU accept virgin keys (which is more or less how they steal those, they have a keyfob, plug in the programmer which put the ECU in keyfob acquisition and poof! their key is the new key)
Here i don't see how CAN XL and other layers of encryption would have prevented the problem from happening.
By the way, not too long ago you could steal Land Rovers the same way, only from the read lights (thief would smash the light, access the canbus, open the car)
I personally prefer the bus to be open, with data in plaintext and possibly encoded by following standards, with exceptions for security/privacy reasons (so encrypt the location, video stream, firmware during update at will)