Read-only sd card works pretty well though in my experience. You can make it rw for upgrades and remount to ro once done. All the files which need write access (but you don't care about preserving) can be "saved" to tmpfs.
With normal install you can just configure unattended-upgrades (on Debian at least) and mostly forget about security updates, they will just happen (can even set a schedule for reboots for kernel updates IIRC).
But IIRC boot on card + root FS on SATA or USB-SATA works just fine and you only get some writes off occasional kernel update
