Well, that's terrifying.
And, really, I'm not surprised - even my 1999 Golf has a network upon which all devices can see everything else (while it's a year before VW put everything on a CAN bus, there is the K-line (essentially RS-232 at weird baud rates) that every control module in the car is sitting on for diagnostic purposes), and there's no access control other than matching the baud rate, sending the command to the correct control module address (but everything sees everything on the K-line), and occasionally 5 digit passwords that are, for the most part, printed in the workshop manuals).
Even things like the instrument cluster, which contains the immobilizer (well, on US-market cars it's not active until 2000), can be attacked with readily available software, the ROM dumped (on some clusters, this takes an hour of brute forcing a password, but most, it gets in immediately), the secret key code decoded, and the immobilizer protections are effectively defeated.
For all I know, there's a buffer overflow in the central locking (for manual windows)/central convenience (for power windows) module that can be used to attack other K-line or CAN-bus modules, for a wireless attack.
When modern cars don't even bother to isolate the infotainment from the powertrain/safety CAN bus, and have long-range wireless protocols in their infotainment systems... and even when they do (some cars use FlexRay or Ethernet for infotainment instead), they put infotainment data on the instrument cluster, which communicates with the powertrain/safety CAN bus anyway, and is therefore an attack surface on the powertrain/safety bus. And, don't forget the steering wheel/column controller, which is often on the powertrain/safety bus for things like cruise control (typically the airbags are directly connected to the airbag module) and the infotainment bus for infotainment control... And, then, you've got telematics systems that directly have a need to access the powertrain/safety bus to do what they do (crash detection to call emergency services, remote diagnostics, remote unlock (although central locking could be put on another bus), remote shutdown for police)...