In almost all cars there are in fact two CAN buses - a high speed, low security bus that connects the radio to the entertainment system and so on, and a low-speed, high security (in terms of components, not actual security) but that connects the brakes to the ECU and so forth.

The issue is that frequently systems like OnStar sit on both buses, because they are used for things like engine diagnostics. If you investigate you'll notice that every single one of these car hacking attacks starts somewhere, pivots to an OnStar like system, then can control the car.

Doesn't really make your point less true, but fits perfectly in the features over security mindset.

Two CAN buses is a quite low number. Last system i saw, which was pretty old, had at least half a dozen from what i could tell from my end of the system, probably even more internally inside or behind other components. Modern cars also use flexray, LIN, MOST and all other kinds of buses. The reason for this is safety, bandwidth and that the delay jitter on a highly loaded can bus can be relatively unpredictable for high frequency control requirements like suspension, traction and other engine related control.