The logic is sorta backwards. They can’t fix anything because it’s such a pain to get it re-past regulators. Making a large software change would be huge excel documents scrutinizing the FMEA and “risk assessments”, and if any risk increases or decreases, goto 510(k)

My assumption is that it was easier to get past regulation that way. Because their sensor is only talking to their app. And the app is only talking to their server. So no third parties to interface with which would complicate things.

And what happens on the server probably doesn't need certification.

They do however go out of their way to make it hard for third parties. They encrypt their app and run integrity checks to detect patches. Now writing this again makes me feel like they purposefully block third parties, not just ignore them.