In a system like this the software organization should be super-confident that no matter what failures occur they will handle them gracefully. They should be this confident before even entering the sim.
Getting there is hard and you should be using both models you can prove correct and hands-on "vulnerability" testing. And to make it feasible you should keep your "stack" as simple as possible.
To me your comment reads like developing a system like this in a trial-and-error way until you get a pass from the sim would be OK. It is most definitely not OK.
Of course you don't start from a crude simulation, but when the sim diverges from real hardware behavior, you need to find the reason and update the sim to reflect real world.
Getting there is hard and you should be using both models you can prove correct and hands-on "vulnerability" testing. And to make it feasible you should keep your "stack" as simple as possible.
To me your comment reads like developing a system like this in a trial-and-error way until you get a pass from the sim would be OK. It is most definitely not OK.