Given the extremely dangerous potentials of such a mix-up, I would very much doubt an "Oops" moment would occur. Quite honestly, the way they run the company, I wouldn't be surprised if the process of pushing an OTA update to the automobiles is akin to launching a nuclear missile.

Fifteen years ago, NASA lost a Mars orbiter because one of their contractors used Imperial measurements when NASA used metric.

Swissair 111 crashed because the operator installed a new entertainment system which overheated.

A lot of serious systems made by serious people still end up with stupid problems.

While that is true, it also means that the 'serious firmware' developed for the car probably has stupid problems.

And it might be safer and cheaper to have the option of fixing problems when you find them, because if you don't have that option, you're forced to weigh the costs of a recall against the risks of the issue for every little thing.