It's true that the software field is bad at what it does. When someone makes a truly secure piece of software, they get a PhD and repeatedly make the HN front-page. [0]
It's not just a matter of writing code with no bugs, though. As I mentioned this another comment, [1] voting is unusual as we must be confident in the correctness of the count, and confident that it's not possible to prove whether a particular person voted a particular way. There's also a trust issue: with a digital system, a single corrupt official will likely be able to do far more damage to the vote than with a paper-based system. Even if the system is somehow structured to resist this, public trust might still be less than in a paper-based system.
You are correct. It needs to be anonymous, untamperable, auditable.
I recently had a discussion with a friend who asked me how to implement a write only audit log that will comply with some finra regulation. I asked him how tamper proof it needs to be, and mentioned his system admin could practically stop the log writer, do shady stuff, and start the log writer and there is nothing you can do about it.
As long as someone has access to the system, things can go wrong.
I am hoping zero knowledge proof systems will provide some guarantees here some day.
