Mostly, they already have the separate processor. They have to because the analog gear won't put up with the jitter caused by the CPU running an OS and userspace. So it's just a matter of having the flash not be co-mingled with the flash that holds the OS. OR, the processor can check the signature of the blob it gets handed before enabling Tx (that one would add no hardware).
Now, go fetch me a fab, and a team and I'll get right on that for you.
But if you object to those pennies, you should object to the new FCC reg that demands that they actually secure the things and write a detailed report on how they did so. It's cheaper still to just leave it the way it is now.
The sad part is that this regulation will do nothing. People who want to use the forbidden channels will just order the hardware from somewhere that permits those channels.