It is my, unsubstantiated, guess that these kinds of standards are kept deliberately complicated and weak to allow the “three letter agencies” to exploit them. I would expect the government itself when needed uses the most secure or even an improved version of the spec which does not have these obvious vulnerabilities.

My US-made e-Bike is also “dumb”. A regular key to unlock it, a simple onboard trip computer, no apps, no bluetooth, a user replaceable battery… I can see the appeal of a “Tesla-like” e-Bike with a fancy app but reading about these companies going bankrupt makes me glad I got a simple bike.