If this was a murder, this would actually be very hard to prove who did it. Anyone in the world with an internet connection and the MyTesla login to the car could have done it. How do you prove who pressed the button‽
That's one of the things that make the security so bad. The same password used for the app is used for the website, and a person could take some email addresses, systematically try to determine passwords, find the cars on maps, and get cars out of locked garages and drive them away.
If you think it's so hard to get email addresses, look into the problem related to spam for tesla-box. Plenty of people who got it used an email address that they gave only to Tesla. If you own a Tesla, it's fair to assume that your email address is out there on a list.
I have other apps such as the one that controls my home, including the door locks, thermostats, cameras, etc. Putting the app on a device wasn't enough. It uses a PIN that's unrelated to an account password. The account has a user name unrelated to the email address. The specific device has to have the app put on it, and then a special code is needed to register that specific device to the account, and nobody who knew my pin or other credentials could merely install the app on a random phone. With Tesla, anybody can install the app and it will automatically be associated with any car on the account, rather than requiring an extra step in the car that authorizes a device based on MAC address or anything else. Furthermore, the way the app works makes it easy for a husband and wife to have different PINs unrelated to an account password, the account password can be something long and complex that's impractical to use with the app and doesn't have to be something that all drivers of a car must potentially remember.
If somebody steals a phone, having a PIN would still make it unlikely that a person could make use of the app to steal the car, especially with the additional security of credentials such as a fingerprint or pattern, or anything else that would be unlikely to bypass, especially before a person got a chance to log on and deactivate a device. Also, physical possession of the phone to start with is another layer of security, and a knowing that a phone has been stolen is more likely than knowing that somebody got into your Tesla account on the web.