No firmware changes are required to support each car having a unique key. Also, there is no technical reason why the car manufacturer would have to have a record of the key that goes with each car.
"So long as the firmware key is not varied per-car, a simple dictionary attack will crack the car open easily."
This isn't correct. Most remote car unlockers use a rotating key system or a computational exchange, specifically to foil dictionary attacks or attackers sniffing the unlock signal to reproduce it. There are a few different ways this is done, some better than others, but the net effect is that a different key is needed for each unlock.
What would be the basis of the lawsuit? Factor in that there's almost certainly wording in the license agreement that to the effect that there is no promise of fitness for purpose or that bugs will be fixed.