First, a modern car is likely not more complex than an operating system. That the car "contains several operating systems in itself" isn't especially meaningful, because operating systems are not fungible. The "OS" controlling your ABS system (for example) is going to be as simple as possible. Windows on the other hand is aiming for as general as possible.
Second, you do have licensing agreements with your car. You have warranties that become void if you do X or Y, if you fail to properly maintain Q or R, etc. And those various OSes in the car are not sold to you any more than Windows is. They are licensed, under what specific terms I don't really know.
That's got to include stuff like the stereo and navigation systems, which seems like cheating. The engine-management and safety-related systems are bound to be much smaller, and certainly don't need to me so large.
They are attack surfaces. Everything in the car is networked. Look at the paper: you can attack the engine through the gps. Maybe that was a different paper but I think it's in there.
They are attack surfaces ... you can attack the engine through the gps.
Sure, but the "attack surface" of the engine management firmware itself isn't enlarged by the presence of an insecure GPS system, is it?
I don't know if the people developing engine management firmware think about fire-walling themselves off from the rest of the in-car network. Certainly, they should. If they do, then the size of the code in the rest of the car doesn't seem relevant in terms of securing the really important stuff.
Second, you do have licensing agreements with your car. You have warranties that become void if you do X or Y, if you fail to properly maintain Q or R, etc. And those various OSes in the car are not sold to you any more than Windows is. They are licensed, under what specific terms I don't really know.