Some other things should be added.
First, the paper ballot should also list all the candidates the voter did *not* choose, so that a later recount can see if there were choices left off, which is something that should invalidate the election.
Secondly, neither the voting machine nor the verification/scanner machines should store any results. The only thing that should store the cumulative results during the day should be the ballot box itself, ie, the box that holds the voter-validated ballots.
I'm fine with a ballot box setup that causes incoming ballots to be permanently tied/secured together, and I'm fine with the ballot box doing electronic counting, and being used to generate an end-of-day printed tally that can be attached to the secured ballots.
In this way every step of the process is human auditable: A person can print out twenty different ballots, validate twenty different ballots, (verifying that the machine readable portion corresponds to the human-readable text), then throw away 19 of the 20 and put the one they really wanted in the ballot box. In any recount, a person can manually tally the paper votes and verify that it matches the printed tally per filled ballot box, and poll watchers can watch the number of ballot boxes, making sure none are switched out during the day, and getting a copy of tally printouts for each ballot box so they can each see that the same set of ballot box tally's for their precinct match the tally's reported centrally.
The same validation machines and ballot boxes can be used for any set of elections, without any reprogramming, and the hardware is all interchangeable, individually testable, and verifiable. There is no need to trust that supposedly audited code matches the code that is actually running in the machines. The only machines that need an updated data file for each election are the machines that print out the potential ballots themselves, but everything related to their fundamental purpose of displaying choices and printing ballots can be independently verified.