On one hand you are right, but only if we can ignore the highly increased risk of electric malfunction from the extensive traditional (non bus based) wiring. This was a common problem in the 1980s when electric gadgets became numerous, but no standard bus was used on many such cars.
To overcome this the plan back when I was working on that product was to use 2 system buses, one isolated internal for the safe critical sensor/control network, and one user facing untrusted bus, with a ECU designed to serve as a firewall basically.
Why even have the firewall? Wouldn't a true airgap be preferable? At the same time, having say steering and brakes on the same bus adds a single point of failure to both steering and brakes, which is not ideal.
Cost and risk management. These systems undergo rigorous safety evaluation, auditing, and testing. This is a manageable risk (very low) given the business requirements and the threat model.
Having to account for a DOS attack from a compromised head unit or some such just seems like a nightmare.