I remember when this was happening and I was surprised to learn that not only were there no good standards in automotive, reputable manufacturers like toyota didn’t even follow their own internal standards when developing software for critical bits.
Or to rephrase: it would appear they made no credible effort given the types of defects that occurred.
According to the PDF, they are not actually required to adhere to any software standards, and they did not always follow their own coding rules. An internal email admitted that "technology such as failsafe is not part of the Toyota’s engineering division’s DNA". They didn't even have bug trackers, config management OR COMMENTS in the 250k+ lines of code that were looked at. The software was full of bugs and terrible coding practices, plus the CPU was routinely pushed way too close to 100%. The ETCS code in question also had no unit tests, but it would be impossible to have them anyway due to their use of recursion in the code, which is also not supposed to be used in safety-critical systems.
In my mind, the software for at least the first two is typically written by people who don't primarily have an IT background, and at least in the past it was very clear that no skilled IT security engineers with any even reasonably recent knowledge were involved.
The truth is that embedded, safety critical software requires a set of skills that is not normally taught in computer science or in electrical engineering degrees unless the students intentionally specialize in that direction.
Or to rephrase: it would appear they made no credible effort given the types of defects that occurred.