Agreed. Another could be solo blackhats who just want to make money, who have no state sponsorship. Tangental, but I also hesitate to create such a massive bucket for "mental instability" like that. It's easy to find when someone who does something difficult to understand, or against what we would do ourselves, and then just say "well they're mentally unstable." Definitely the case for some, but it seems like a lazy dismissal with no attempt or interest at understanding.
I was using "maliciously exploit" here to describe what would basically be the worst case scenario of such a bug (instructing every Tesla to deliberately crash at high speed). I don't think it's in any way a stretch to characterise someone who would do that as mentally unstable.
Of course there's many other ways you could exploit such a bug, but in the context of a "multi-billion dollar" event, it's really only The Big One that's in frame here.
Someone could be sociopathic enough to cause the crashes, but still prefer the money. It definitely seems like you could negotiate for more if you can play the part of that sociopath and don't mind a little bit of extortion.
Those two types in particular are examples of actors that are willing to break the law in this way. Competitors aren't going to contract a hack - like the parent comment said, every 3 letter agency would be after you and suddenly your executives are going to prison.
Public confidence is priceless in the automative space. The risk of bleedover onto the market segment as a whole would make that an incredibly risky (read: stupid) stunt for a competitor to pull, not to mention the legal and reputational risk if they're discovered.