It should also be mandatory that manufacturers support any device/vehicle for at least twenty years.
No, because it is safe to assume that the manufacturers will lock down the device so that only they can create updates for it, and it is safe to assume that manual driving will become more and more restricted over time. Setting any specific time limit is thus equivalent to planned obsolescence on a nationwide scale.
Manufacturers should be required to update the firmware for as long as a single copy of that car is on the road. This encourages the manufacturers to standardize on a single set of software that applies to all of their vehicles over many, many model years, which has the added benefit of dramatically reducing the likelihood of coding errors. If the manufacturer goes out of business, they should be required to spin off a company that owns the source code and rights to do this maintenance. They should be required to set aside a portion of the purchase price of each vehicle in a special safety fund that is protected in the event of bankruptcy, specifically for the purpose of funding such a company, should it be required.
... it just disables itself allowing for manual control.
No, because some people will just not bother to update their firmware, and will just choose to drive manually. Then we'll be in the same position we're in now, having to maintain lots of unnecessary infrastructure (traffic lights, road signs, etc.) that we could otherwise eliminate entirely.
Except on specifically designated manual roads (e.g. scenic routes, long roads in the middle of the desert, etc.), manual control should be restricted to emergencies only (temporary in the event of a complete system failure, to drive it to the nearest spot on the shoulder that is wide enough to pull over so that a tow truck can tow it to a repair shop). Manual driving should be extremely rare, as it puts a significant strain on the traffic control systems.
Firmware should be OTA self-updating, should be signed by the manufacturer, and should be completely transparent to the user. The vehicle should have two boot partitions, and should always update the least recently updated partition. That way in the event of a failure, you can do some magic sequence involving the odometer button and the ignition key to revert a bad firmware install in the unlikely even that it happens. Also, this ensures that if the install fails for some reason, the car can safely wipe that boot partition, load a full copy (non-update) of the new version, and go on as though nothing had gone wrong.
The device should continue running the current version of the firmware until the next time you shut the vehicle off. Then, it should boot from any newly updated firmware. If the boot fails, it should fall back to the previous firmware, wipe the newly updated firmware, and download a fresh (full install) copy again.
The manufacturer should have the ability to push an "unsafe firmware" notice to the device. If the device sees that flag, it should immediately flag that version of the firmware as potentially dangerous. If it is currently booted from the unsafe version and if it has another version installed that is not flagged, it should immediately find a safe spot to pull over, pull over, reboot from the other version of the firmware, and continue the trip. If it does not have a safe version, it should immediately query the server, download a full, known-safe version, overwrite the version that it is not currently booted from, and then immediately find a safe spot to pull over, etc.