I would like to append another aspect of the security classification into the discussion:
How immediate does the software have to cause the danger?
glork98 argues that if "the software component can never, ever cause physical injury or treatment failure" it is A. But how much influence do we assign to the human user which acts upon information from a system?
Consider an thermometer which uses a LCD display to show the temperature. If a software failure leads to an invalid temperature, then a user/doctor might apply the wrong treatment, leading to the death of the patient.
Now the software in the thermometer can never ever kill/harm anybody (unlike a pacemaker, MRI, CT, or similar), but still 62304 seems to make it necessary to categorize the software as class C.