Further on my motivation to go there deliberately, if it's not already clear.
Lithium is perfect until it's not.
I've thought lots about the dreaded BMS shutdown and the challenges that this poses. Alternators are the tip of the iceberg.
For me, the solution is essentially clean separation of house and operational.
Operational needs to be bulletproof. You need to be able to start and operate reliably in all conditions. Alternators and LA batteries have been doing it for years.
House can shut down. The lights go out and the ice starts melting. But I'll get to where I need to in order to resolve.
That is indeed the big concern, and was a huge focus when I was planning our power system what is now 4 years ago. As you point out, boats are historically designed around the assumption that DC power is always there, and will always be there until the water rises above the top decks. So we use it for all critical systems.
As part of planning for the boat power system, I built an LFP bank for my home to get experience with it. One thing that became pretty clear is that the batteries themselves are VERY stable and just work. And because there is no water maintenance, and no management concerns of partial SOC operation, they are actually much MORE stable than lead.
So what's the concern over BMS disconnects? Well, a disconnect will only happen if the battery is operated out of allowed range for temp, charge voltage, etc. What's the solution? Just don't do it. In a correctly set up battery system, a BMS disconnect will NEVER happen. It's only a broken charger that tries to over-charge a battery that will lead to a BMS disconnect. And by the way, that will likely trash a lead battery as well. If chargers are set up correctly, the batteries will never even come close to a disconnect. It's like a fuse. They only blow if something is wrong.
That leaves failure of the BMS itself. Will there be software errors? Will the electronics hold up over time and various environmental conditions? This was my concern. Not the batteries, but a failed or errant BMS. To deal with this, I built in two backups, actually three.
First is that I built two LFP battery banks, each with it's own BMS. So if a BMS goes wacko, it will only take out half of my battery system, and not cast the boat into darkness and silence. Then, in case both BMSes fail, I have a parallel switch that let's me parallel the house bank with either of the two engine start banks. The start banks are obviously much smaller capacity, but they will get things running again, and I can start a generator for longer term operation. The parallel switches have also proven very useful for doing LFP maintenance. For example, I can switch house loads to a start bank, then shut down the BMSes for software updates or other work, then switch back to LFP when done.
So this is a long way of saying that although BMS disconnects need to be accounted for, they don't just happen willy nilly, and if they do, it's because something is wrong with your system. For example, my home BMS has NEVER disconnected. Not once, not in 4 years of continuous use as the houses primary power source. And in contrast, I have heard of LFP systems designed to intentionally charge the batteries until they disconnect. That's just so wrong and represents a fundamental misunderstanding of what a BMS disconnect is intended for.