Yes, but what if the NFC tag was on your keychain with your phone, which the attacker also had? That seems far more likely than being able to spoof a Bluetooth device that your phone had already paired with in the past (yet that one is in the list of "not automatic" choices)

When the attacker has your keys and your phone, you have bigger problems.