I've known a lot of high-quality developers over my 15 years of professionally developing software. The reason I don't want an automated car is because of these people. People make mistakes, intentionally or otherwise.
When it comes to true high-rel software, like that written to DO-178B Level A (an avionics software standard used for things like fly-by-wire) it's almost never the software per se that's at fault. The stuff is amazingly good. It's also amazingly expensive to write and test. You might also find it frustrating because it brings new meaning to the idea of conservative design. For example, I don't think it allows recursion. I know it doesn't allow dynamic allocation.
Firmware engineer here. While I don't work on safety critical systems not allowing recursion or dynamic allocation is just standard practice.
Memory leak errors are almost impossible to debug on a microcontroller. So as a preventative measure, standard practice is not to do any dynamic allocation after hitting the main loop. Initialisation is ok, it runs once and never gets freed. Once the system is running however, the risks outweigh the benefits.
Recursion is much the same, it's easy to blow the stack, messy to debug and makes static analysis hard.
While both can be done safely we consider them automatic red flags and any use needs to be accompanied with a justification in the comments. The code is also very carefully checked. Typically the problem is readdressed and another method used.