If data diode points to outside, like a power plant exporting its status to web, then photosensor can be completely taken over. Sure, the web page might be completely bogus, but there will be no disruption in power plant's system. The hardware design guarantees it. That is the strongest case for data diodes.
If data diode points to inside, like a power plant getting new data from the outside, then sure, photosensor software is a concern, but since it's relatively simple, this would not be my biggest worry. I'd worry about app that runs on target PC and receives files; if file is an archive, about un-archiver exploits; an finally about the files themselves. If there a doc, are you sure it's not exploiting Word? If there is an update, are you sure it's not trojaned? Are you sure users are not click on the executable thinking it's a directory?
