There's easy ways around that even on a very small, very simple system - output a log of all ballot serial numbers scanned in the batch along with the batch tally.

For extra assurance, sign all the output data with a machine-unique private key to ensure it can't be tampered with upstream in the processing chain. Signature bad on a batch -> reject all ballots from that machine and send it off for forensic analysis. Validated crypto engines are available even on very simple platforms now, so this doesn't conflict with low-complexity hardware.