> Generally, long range key fob button functions and the short range start release functions are separated, both intentionally for security reasons and due to the different problem space occupied by each.

I don’t think this is true, for instance how does the key fob trigger a start sequence for vehicles equipped with remote start? They must be connected to the same CANBUS, so the key fob can interface with the start systems. This is also how a lot of vehicles are stollen, because of abuse/misuse of CANBUS (i.e. headlights being addressable in CANBUS)

Yes, remote start breaks the model… which is why drive off release and remote start are separate systems. On modern European cars with automatic transmissions, the TCU will not release Park until the immobilizer (short range, challenge response) is released, and generally the ECU also limits torque request and vehicle speed.

> This is also how a lot of vehicles are stollen, because of abuse/misuse of CANBUS

On vehicles with poor cryptography architecture (Honda!), yes. On most other vehicles, no, because the immobilizer messages are cryptographically authenticated, usually by using an AES MAC where the key must encrypt random bytes transmitted by the immobilizer master using a shared AES key, and all participating immobilizer modules use a similar system to verify that every module shares the same secret material. Now of course if this secret material can be extracted the system breaks (see XHorse, Abrites, etc.) but this usually requires invasive and time consuming attacks far beyond the headlight thing (for example, removing and physically opening a control unit to use an exploit to dump its key material).