Soekris hardware is often suggested, but they are not so cheap.
There are also plenty of micro ATX or all-in-one fanless PCs with dual-NICs in a similar price range. Or dual-NIC Intel NUCs, as well (not fanless).
* standard install, strip down kernel to bare minimum, configure everything
* mount everything read only (/var memory backed)
* set kern.securelevel to 3 (to disallow raw writes to disks, modifications to the firewall or un-/loading of kernel modules)
* ignore the on-site admin when he begs for ssh access (because you of course disabled sshd)
The system was first rebooted in, IIRC, 2004 when I had to change the ppp-config after they changed providers.
Overall costs: about $100 for old hardware and about 1h of my time.
eracks.com offers preinstalled obsd firewalls
Probably many others, but if you mean store bought consumer devices no idea but would be trivial to abstract away the OBSD complexity and offer secure remote updates if a company wanted. Why they don't, maybe it's cheaper or easier to find GNU/Linux engineers.
They really don't.
Thus the growth of systems like pfSense.
TL;DR: Resflash has some really useful features for real-world embedded use-cases.
Having done embedded development (industrial packet radios), having an embedded firmward loader and fail-safe ROM are definitely major pluses for less brickable products. The having two versions is a similar approach.
Also handy is a dev board w/ actual hardware watchdog and some industrial NVRAM.
How do I proceed about configuring Linux this way?