Comment by mberger
You have to be able to get new keys made without having an original to read. A database of vin, key would be too big of a target and would have to be shared with dealers anyway so they could program new ones. I'm not a security expert but it seems like it would really shorten battery life on the fob if you wanted to protect against replay attacks by adding a time sensitive value.
Key distribution is (as always) an important, but solvable problem. There are some tradeoffs involving centralization vs cost of replacement, but those apply generally, not just in this particular case.
As for replay attacks, that's where the button press comes in (like on a hardware security token) -- the key only responds to challenges within a second or so of a button press and the car sets a similar timeout for validity.