The transition toward Software-Defined Vehicles (SDV) forces the industry to rethink the right balance between in-house development, open-source software, and commercial solutions. Initiatives such as COVESA and the Eclipse SDV working groups are creating valuable open-source foundations for non-differentiating software. Yet, open source is not “free” in the automotive context. Vehicles remain in the field for 15–20 years, and long-term maintenance, security updates, and compliance cannot be left solely to the community. Relying entirely on open source means either dedicating scarce in-house resources to maintain large code bases or paying third parties for support—often at a significant cost, with the added risk of depending on niche expertise and facing a new form of vendor lock-in. Commercial software, in contrast, typically comes with service-level agreements (SLAs), guaranteed support, and subject-matter expertise, especially in critical areas like cybersecurity. This reduces risk for OEMs, who remain ultimately responsible for fixing vulnerabilities regardless of code origin. Cybersecurity adds another layer of complexity: beyond the direct cost of patches or recalls, reputational damage and regulatory penalties—such as those under GDPR—can be substantial. Thus, there is no one-size-fits-all solution. A thoughtful mix of in-house, open-source, and commercial software—applied where each makes the most sense—will be key to building sustainable and secure SDV architectures.