From a comment in the reddit thread below:
"Thieves are gaining access to the left headlight computer sub-assembly by peeling back the plastic splash guard, where they can stick a couple of pins into the CAN_H and CAN_L wires in the wiring harness plug."
https://www.reddit.com/r/rav4prime/comments/zlddrj/new_theft...
https://www.rav4world.com/threads/can-invader-attack-unstopp...
It's not a bad design per-se, the problem isn't that the headlight is on the network or that the network is accessible to the outside - the problem is that in the automotive industry a lot of what happens on that network is "secured" by obscurity and any "security" is more there to keep the legitimate owner/independent repair shop out than actual bad guys as you can see.
Someone must've reverse-engineered the security by obscurity - my guess is they reversed the factory flashing procedure allowing them unrestricted read/write to the ECUs' ROM where they can either write their own keys' codes or outright patch out the immobilizer check.