> At the very least, put them on a separate secure network
Aka. "Technical network". At least that's what it is called where I work. And yes, we do run (mainly) Linux for our controls stuff.
> Again, how would a different OS help other than security through obscurity? Other operating systems are not magically bug-free.
Sure, they are not, but putting them on a separate network, and avoiding using the operating system that has holes so large that you can fly a 747 through them generally helps.
> We have seen infections via application updates before, including people infiltrating open source repos and replacing packages with trojaned ones.
Updates on TN computers tend to be tightly controlled - often so tightly that they never arrive, which of course is a security risk in itself.