Rules are that every vulnerability should go public, but manufactor must be notified first and given time to fix problem. 45 days or that something I think, so depending of time passed from exploit discovery, its ok or not ok text
Notification is an interesting sub-part of this story. The researchers claim they attempted to report to Honda but found no clear path for security-related bug submissions (as opposed to most responsible IT companies, which have a very clear front door for this and even pay bounties for new vulnerabilities.) They say the best answer they could get was to call it in to general customer support, which they did, and which got them a generic form letter type response.
The good news here is, like the other poster stated, many people are insured for car theft. Which means there are large car insurers who are in a position to take action if this is a real threat. For example they would be much better situated for suing Honda for total damages caused; or simply for raising premiums on Honda cars. If the raised rates were substantial enough, car purchasers would begin to take it into account, at which point Honda's internal priority would presumably change from "please call the customer support feedback line" to "this is absolutely getting fixed".