DoD Acquisitions has a focus on 'performance oriented' contracting. They suggest you buy things the way you buy managed servers at a server farm like rackspace.com. So, you could try to let a contract for the use of 1000PCs for 2 years and specify downtime, replacement, and repair measures. Offer the contractor rewards for exceeding the minimum requirements and penalties for not.
I think the idea applies pretty well here. I wonder how it would work. I'd call it HAAS - Hardware as a Service.
I just want to highlight your second point. I believe that THE most important thing gained from code reviews is the spreading knowledge and gaining understanding. New development is always great, but most programming is maintaining/fixing/improving existing projects. A code review is a great way to really learn about code readability. You actually get to see other people read your code and you get to read other people's code. All of this code is fresh in someone's mind so it can be explained, and how to make it more readable can be discussed. I learned a ton about writing maintainable code at my first job where we did regular code reviews.
On the more technical side, often once the code is discussed much simpler ways to solve the problem is discovered. It isn't about the individual bug fixes/improvements that can come from a code review. Its really a way to improve your programmers.
I have seen mIRC used in situations even more secure than the one you describe.
Last I checked, the BIOS lives in a chip, not the HDD. Thus the magic diskless booting. How is this news?
"Well hello there Charlie Brown, you blockhead." -- Lucy Van Pelt