Short of disconnecting from the Internet or so severely restricting access to services as to make the use of the Internet nearly impossible, you can reduce the probability of compromise with, for example:
- Two border firewalls, running entirely different OSes (meaning, for example, BSD and Linux)
- Inter-zone firewalls
- No services at all running on any of your firewalls or routers, not even DNS and especially not DHCPv4 (which runs the interface in promiscuous mode)
- Two different IDS systems with automated notification and shutdown of connections
- Two, secure, authenticated, centralized logging systems
- Two log-analysis tools
- Isolation of various "trust levels" on their own networks
- Appropriate end-point security
- Continuous monitoring and updating of all security-related software
As pointed out repeatedly above, most of the hardware-related issues have to do with breakdowns in interprocess isolation on the same host, not "outside" attacks.