It's not that these features exists which is the problem. It's that Tesla has implemented it's security poorly, potentially exposing these features to hackers.
Calling from the registered phone number and verifying address is all you need to get OnStar to unlock your car (I am not sure if its still the case now, but it was the case two years ago).
Same thing for username and password. That's all you need to log into their app. Not sure about failed attempts, but there are no other authentication methods.
