The seed file will go stale if you deny the system to update it. It's the first source for the entropy pool, but it's not the only source. I really have no idea how large effect the random subsystem suffers as a whole if that source is allowed to go stale.

How do you know somebody hasn't hex edited the kernel to nop out the rng entirely?

You usually don't, unless you demand signed kernels and have a secure method of blocking unsigned ones.

But the read-only filesystem issue is something that could happen by accident rather than malicious alteration - for instance some filesystem errors may result in it being mounted RO for safety until the corruption is addressed.