Yes, remote start breaks the model… which is why drive off release and remote start are separate systems. On modern European cars with automatic transmissions, the TCU will not release Park until the immobilizer (short range, challenge response) is released, and generally the ECU also limits torque request and vehicle speed.

> This is also how a lot of vehicles are stollen, because of abuse/misuse of CANBUS

On vehicles with poor cryptography architecture (Honda!), yes. On most other vehicles, no, because the immobilizer messages are cryptographically authenticated, usually by using an AES MAC where the key must encrypt random bytes transmitted by the immobilizer master using a shared AES key, and all participating immobilizer modules use a similar system to verify that every module shares the same secret material. Now of course if this secret material can be extracted the system breaks (see XHorse, Abrites, etc.) but this usually requires invasive and time consuming attacks far beyond the headlight thing (for example, removing and physically opening a control unit to use an exploit to dump its key material).