Non-rewritable would be safer, but not absolutely necessary. You could still transmit a virus with it, and the best safety it gives is the inability to change votes, but in this case the votes put on the media are already bad if the machine is infected.
And we could achieve the same thing with flash cards if the machine would just cryptographically sign the vote file.
My proposal would be to have OTP carts with a conspicious write-protect switch. Before the election, the code cart is set to "write protect", and then both Republicans and Democrats ensure that it matches what it's supposed to contain. The cart is then marked with numbered seals and inserted into the voting machine. Next, a second cartridge is set to "write protect" and verified by members of both parties to be blank. The cart is then set to "write enable" and inserted into the machine.
Both parties then use serialized tamper-resistant tape to seal both carts into the machine and a transparent cover is locked down over them. The numbers of all relevant seals are then copied onto a sign which is visible within the voting booth but also outside (so election judges can ensure nobody tampers with it).
How is a virus going to get into such a system? If the code is open source, and both parties have a bit-for-bit copy of exactly what it's supposed to contain, how's it going to get infected?
Further, it's easy to include in an OTP an unalterable checksum, i.e. a checksum which is designed so that changing any bit in the main array from a "1" to a "0" will require changing at least one checksum bit from a "0" to a "1". Such a change would be impossible in an OTP.
On the ballot memory card, each ballot record would be tagged with an unalterable checksum. If each ballot record is 30 bytes + 2 bytes checksum, a 27C256 (fairly small by modern standards) could hold 1000 ballots plus 768 bytes of other data. If 600 people cast votes, there should be 400 blank ballot spots and 600 ballot spots with valid checksums. There will be no way to change the contents of the memory chip without either reducing the number of blank ballot spots or producing an invalid ballot spot.
Without counterfeiting seals, how could one tamper with a system like that and not have such tampering detected?
And we could achieve the same thing with flash cards if the machine would just cryptographically sign the vote file.
What does that accomplish? You haven't eliminated the possibility that the machine might be running altered software that will "un-alter" itself just before the end of the election. Publishing a cryptographic hash of a vote file immediately upon close of election may be good to prevent the file from being modified post-election, but if something is modified it would be quite useless at showing what. By contrast, if for some reason a memory card which is supposed to have 600 valid records and 400 blank ones is found to have 598 valid records, 397 blank ones, and 5 invalid records, one could be assured that there were at least 595 true records, at most five had been destroyed, and at most 3 new ones were added.