The responsability of circulating with a vehicle that abides by safety regulations is of the owners, not the makers.

You’ll notice that even in the consumer auto segment (which, since run-of-the-mill consumers are not expected to be “experts”, has all tons of ways to make sure they the car they buy is actually certified “road-worthy” upfront because they don’t have the know-how to make sure of it themselves) the actual car owners have the responsability of having a periodic inspection done to the car and repair those things that stop it from being road-worthy (at least that is the case in Europe).

Outside the consumer segment, I expect that the rules for trains are pretty similar to those for commercial aviation: the manufacturer has no responsability beyond a contractual one (i.e. the purchasing entity probably demands contractually that the vehicles they get comply with regulations, the parts they buy obbey certain specifications and maintenance done by a manufacturer-certified shop delivers a compliant vehicle) and all the regulatory responsability is in the hands of the owner (specifically the operator, as for example for leased planes the airline doesn’t actually own them but they do operate them hence they’re the ones with regulatory responsabilities).

The USA argument comes from the anti-circunvention legislation for software being part of the DMCA law, said legislation giving rights to the makers of the software to stop changes to it even in deviced they do not own. Where such legislation does not apply there is nothing “illegal” in somebody doing whatever changes they want to software as long as they have the authorization of the owner of the device whose software they are changing.