The FDA does no review of the software at all, but their review of the hardware means that the manufacturer is completely immune to lawsuits if someone dies as a result of a bug in their software.
Once again, untrue. As a Software Quality Engineer for a major medical device manufacturer, I can tell you the FDA does review software and has regulations and guidance surrounding software development. In recent years the scrutiny of software based device has increased so much, that companies are having a difficult understanding exactly what the FDA excepts.
The FDA provides minimal guidance on software. I'm working with a Medical Application Vendor now who insists that we install MS SQL Server 2005 SP3 (which is out of support) for their new released product. This is what the FDA approved. The FDA also has guidelines for commercial off the shelf software that require vendor comply with security updates. That isn't really a priority once something is approved, you see. Strictly speaking, the FDA considers devices using commercial off the shelf software to be end of life when any software vendor ends support. Medical Application Vendor's take is they have FDA approval, don't worry. We'll wind up installing this, but with enough conference calls and meetings to point auditors and lawyers at the vendor.