Manufacturers for even allowing that to exist (why the fuck telemetry app made by company making radio channels would have permissions to unlock the car in the first place) and company for woeful errors in security and data protection.
Because that "radio channels" company already have expensive infrastructure in place to transmit to cars in most of North America, and an established relationships with car manufacturers, and thus are already integrated into their supply chain.
SiriusXM is a company that does a lot more than just "making radio channels." This is an egregious security issue, but SXM offering the service makes sense. They also offer an aviation weather service.
When you look at the physical layer it's just a 1.5 mbit data stream carrying whatever you want, pointed at most of North America. Over time some of that bandwidth was carved out for data services at the expense of audio quality.
i’m aware that on this case there was something even dumber, an unsecured api endpoint, but as far as i know, if you’ve managed to reach the system you can do anything with any other connected device. there should not be a way to be able to do whatever you want just because you have access to the network.
I recall reading that some cars are now using TCP/IP for connecting some of their systems. A _super_ quick search on this topic yields some results speaking to this [0].