It's not impossible to purpose-build hardened, incompatible, read only systems that can submit telemetry to the outside world while only providing actual control on-site (or via restricted channels). Stuxnet wouldn't have happened (or would have been a very rare event) if they built their system this way.
Stuxnet happened despite being air gaped. Regardless, I am confident you can place physical safeguards that could not lead to nuclear emissions even in the event of loss of control over the computer systems.
It happened despite being air-gapped, because they used general purpose hardware and software. If their systems were built on purposely incompatible hardware and software (as I proposed) and could mainly communicate using a serial console, the attack surface would be much, much lower, and the attacks would be much, much harder.
Having worked on for a short stint with some power plant control systems, I can say that, at least the systems I worked with, were quite niche. The actual control was happening on these racks that ran a VxWorks OS on some Motorola, I think they were, MCU's. Despite this, the systems were interfaced with some Windows machines that did supervision. When they were operating, they had redundancies, and were quite locked down. Of course, at that time, I was a noob and did not understand _everything_ that was going on in there.
Actually, now that I think of it, the WDPF system it was derivated off was used in some nuclear power plants as well.
Regardless, what I wanted to say was... being obscure, while it makes things mildly harder for skiddies is not a big deal for state actors or more resourceful attackers. The Stuxnet was highly targeted and they got access to specific vulnerabilities in the Siemens DCS systems that were running there. Just having exotic systems is no guarantee. I agree, obscurity is a layer of defense in depth, but no guarantee. Surely you don't suggest they use a new purpose built HW for each control system design. Also, control systems DO need to have their SW updated as well. It's obvious you can't make it hard read only. You do have physical lockout mechanisms for this though.
Even if the attack is completely unsuccessful it would cause panic.
Furthermore, highly centralized electricity generation makes the distribution network very vulnerable as well.