I think a substantial portion of the actual problem is using the CAN bus for things other than status data. A lot of things become much easier to secure if you only have an ECU with clearly-specified functionality bridging the safety-critical and non-safety-critical busses, and that ECU can't be reprogrammed arbitrarily over either bus. It is relatively straightforward to reduce your attack surface by never bridging packets from one network to the other; the bridge device would sit on both networks and report conditions which it determines from the sensors. So it would look at wheel sensors and report "the car is in motion", and look at the wireless key receiver and report "disable the ignition". The compromised CD player wouldn't be able to DoS or spoof the brake pedal without compromising the bridge ECU, and it should be possible to have the bridge use CAN hardware that can't use high-priority IDs on the safety-critical bus.