How you prevent the Thompson hack is simple:
Change of Domain.
If your electronic terminals do no counting, but only ballot display, vote collecting, and printing, then they are off of *most* of the critical path -- if people are bringing in a marked Sample Ballot, they will likely notice if their preferred candidate is *missing*, and that's the only fraud you can commit there: add or delete a possible vote-choice.
Once you have a locked box full of serially numbered votes, and a companion locked box full of serially numbered spoils (that is; the pair of boxes, together, should comprise a complete serially numbered set of votes from TERMINALNUMBER-1 through TERMINALNUMBER-TOTALVOTES, which can be checked, and TERMINALNUMBER and TOTALVOTES are written by hand on multiple separate poll-worker and poll-watcher count sheets, and you have those votes for all machines in a precinct, you can then run them all through the counting machines.
That's a PC, with an ADF scanner, running any damned software you like...
because the election officials count them one way, and the party watchers each count them with something different, and the counts had *better* all match.
If they don't match, you can pretty easily find out why, by putting all the bodies in a room, and passing them all along past people with tally sheets.
My point is, and remains, that it is demonstrably possible -- for elections held solely in precincts -- to satisfy *every* constraint about a plebescite that doesn't have to do with Arrow's theorem, or getting actual bodies to the building (registration issues and the like), WITH CURRENTLY AVAILABLE TECHNOLOGY, NONE OF WHICH EVER HAS TO BE ON THE VOTE-COUNT-CRITICAL PATH.
You just gotta *wanna*.
But, as Carlin observed: "Wanna is a sin all by itself. Thou shalt not *wanna*."