Thank you.
This seems to be working for me, after moving udevd's /run/udev to /tmp (wonder why udevd doesn't have its directory in /tmp by default as do all other programs/daemons)
In case anyone faces the same requirements:
All the mounting at boot is done in /lib/preinit
For / it is:
80_mount_root
Mounting is not configurable, since it is done by a binary, so you need to comment it out:
mount_root
For /boot it is:
79_move_config
Mounting is configurable, since it uses mount, so you can configure it from rw to ro:
mount -t vfat -o rw,noatime $BOOTPART /boot
These changes will force the system to stay read-only on media-based filesystems at boot.
But it will break applying a sysupgrade.tgz which i don't use. It would be better if all this was configurable with a boot-switch, but this is up to developers to decide.