[andix]

Are those real ROM-based-systems, that could execute code directly from ROM, without loading it to RAM first?

The only ROM-based-systems I worked with are the Atmel AVR microcontrollers. They don't need to load code into RAM for execution, they have the ROM memory mapped into the address space. I think they can't even run instructions from RAM, which makes remote code execution physically impossible.

[Dwedit]

Even if you can't execute code from RAM, stack corruption and Return-Oriented-Programming (ROP) can still be a thing. It's just far more limited if you can't use ROP to set up regular code.

[kevin_thibedeau]

Memory devices were not accessed via exotic interfaces at the time. ROM was directly addressable on the bus in early PCs. They executed their ROM code directly as the access time was sufficient for low speed clocks. That is what the BIOS is. Any additional OS/BASIC environment worked the same. Later BIOS implementations had shadow RAM options to allow execution without wait states as bus speeds eclipsed ROM access times.