It's built into the meters based on a hardware ID code, so any particular meter will only accept a certain set of highly sensitive operations on particular days. So if you need to shut off Mrs. Miggins for non-payment (not legal to do remotely without sending an engineer at present but technically possible) or switch her meter to pre-pay (which is legal) then that command might only be acceptable to the meter once every 20 days. That does mean you can't immediately do it if you're the supplier but also limits the damage that a catastrophic compromise of the smart metering security system can do.

Maybe downlinks can only be sent as a response to uplinks (similar to LoRaWAN class A?) and uplinks are every few days?

So it's a two-stage attack; increase the frequency of up/downlinks, and then send the bricking payload!