A car that has an app, a car that can be remotely updated, and a car that has all communication running through the same BUS, may be susceptible to remote break in without requiring any sort of physical access. Now the firmware may require signature verification to be patched, however in this case all we need is to corrupt the existing firmware or atleast make it seem like we had access to it in order to trigger an auto-downgrade.

Regardless, even under your logic an auto-downgrade without a user's input is completely unwarranted for.