OK – a somewhat long winded possible explanation here.
I suspect tesla using a similar scheme to android OTAs. With android, each device in the field has a unique secret security identifier which is used to encrypt "secrets" on the device (if the device mfg got their security correct). This includes users who encrypt their phone as well as other assets such as DRM keys that hollywood insists on being kept secure (which authorize your device to play protected content). The reason the keys are unique is so if a device is hacked/cracked, posting the resultant secret key publicly does not compromise any other device.
As part of the device security, the device always needs to validate that the software update coming to it is trusted and authorized (else you really don't have security). Thus every android OTA update is individually signed or encrypted for your device and pushed out separately. This is why android updates for a particular phone are staggered and take a week or more to roll out. You could parallelize the process by getting a whole bunch more servers to do more encryption/pushing in parallel but at end of day, is a ROI decision (how much capital expense on servers vs how long to update all your devices in field).
My guess is that each model S also has a unique security key which the OTA needs to be signed for. Thus they cannot do a universal blast.
Caveats to above are details between different android developers may differ slightly (such as using public/private keys, etc) but general concept/flow is the same. Another complication is rooted devices which generally only root at the OS level and not the firmware level (thus device is actually still secure but key boxes are hidden from the rooted OS so you lose all your security based functionality such as DRM playback).
