That's not really the case. Some of them unlock via low frequency RF, but to my knowledge they still use encryption that uses their button click count as one of the variables plus a shared secret.
Yes, but the point of this scheme is that the car "believes" the key is in close range. If that is enough to get it to open the car, the thieves don't have to break any encryption, they just need to relay the RF signal. The faulty assumption on the part of the car manufacturers is that "RF signal present" equals "keyfob nearby".
No system I've been exposed to was defeated by a simple replay attack. You needed the shared secret and the click count (plus proprietary algorithm), which would be incorporated into the OTA message. Most LF systems are pretty low-bandwidth as well, and lock out quite quickly.
To clarify, I'm not talking about a replay attack. It's a _relay_ attack where they use the RF signal transmitted by the actualy car/key, just over a bigger distance than you would normally expect.