It could be incidental. Bluetooth isn't a really high secure protocol, and has known security vulnerabilities. It's hypothetically possible a mfg could get a standard, well-accepted off-the-shelf IP block that has an unknown security hole.

Someone writes a virus for Windows machines that activates bluetooth and attempts to reprogram any and all bluetooth devices within its short range. A few devices using this IP can be hijacked to spread the virus to other bluetooth-enabled Windows machines, or use its uninfected Windows drivers' call-home-for-updates function redirected to another IP# to join a DDOS on a bank later.

Say the DDOS won't actually work on the pacemaker's call-home-for-updates because the driver has no such capability. But the attack did try to rewrite the device's bluetooth firmware and partially succeeded. Then the implant gets junk data from its bluetooth firmware block, the virus sees it's a common Corex M4 core and reprograms its firmware in an attempt to turn it into a DDOS slave, which renders the core functions broken. Its hardware peripherals like the pulse generator get random writes to its registers when this malware mistakenly thinks these addresses went to a peripheral for a long-range radio transceiver for an AirTag. Now the pulse generator is stuck with random, nonsense values which could immediately send out deadly signals to the amplifiers.

Is it likely? I'd say no. But it's a farfetched, yet plausible scenario.

Funny fact- all these devices currently have hard fault modes where if the lead voltages don't make sense or a hard fault occurs, the device will go into "POR" mode- Power On Reset- which, for safety- will not try to reboot with suspicious hardware problems but lock it up until you bring yourself in for service diagnostics and get re-enabled.

With one model, going shopping in a foreign country with different radio frequency use outside the US's FCC-approval spectrum use the device was tested for, they walked out of the store through the anti-shoplifting portal and its radio pulses confused the code with unexpected lead voltage, suspected a transistor output stage fault, and thus shut down the amps and went into POR, disabling their device on the spot and their Parkinson's Disease symptoms returned immediately in full force with the implant disabled. And it will stay that way until you find one of the mfg's authorized service nurse-practitioners with the specialty hardware to go into diagnostic mode, download the logs, check the amps for self-test and watch it if causes the person to start physically glitching out, and if everything's OK the nurse can send the command to return it to normal operating mode.

But a hack could have bricked that bluetooth service interface, requiring surgical replacement under RMA. Or the bluetooth module firmware could still have malicious code that the service mode didn't see, checked out the device as ok without surgery and re-enabled, but the malware will later try to rewrite the main firmware all over again.