I agree about the control portion. Even if the option is enabled by a hacker, OVMS doesn't contain the necessary code to control anything on the car. I think even if it tried to control the car, the most it could do is cause the car to reboot. Now if we drove Tesla Roadsters, however, they could unlock the car, run the battery down, prevent charging, and activate Valet Mode.
Not all hacks are weak passwords. Some are as simple as a bogus email phishing where even very strong passwords are useless if the recipient isn't careful (iCloud intrusion), others are more complex like Heartbleed. Brute force attacks, 0-day attacks, exploits, and such won't be stopped by a password. Most of these are weaknesses in the coding of the software itself.
Also, who's to say that 100% of the support crew for internet servers are totally honest? Hacks aren't always an outsider.