ME7 is extremely old (10+ years). Also, immobilizer defeat requires removal of the ECU. It's trivially easy to do once the ECU is removed, but that requires extended access to the car.
We're not talking about whether something can be defeated if you have the keys, a toolbox, an eeprom burner and unlimited time with the car. The root question is about whether a vehicle is hackable, potentially remotely.
The can gateway is "just another device", but it's very difficult to get it to do anything it isn't supposed to do. Yes, all the devices you care about are on the powertrain bus. But, nothing that's easily accessed (infotainment, obd port, headlight distance controls) is on that bus and none of those things can communicate directly with it.
It's exactly the same principle as having an internal network isolated from the internet. A properly configured firewall will allow proper access to inside services, but won't allow malicious activities.