Most of microcontrollers with internal FLASH do have "fuses" - when in erased state, you can program and read the FLASH back; when programmed, they prevent reading back and/or subsequent programming.

I'd not rely on "cannot be read serially", at least in one case (the LPC9xx's UART bootloader) this is proven to be only information held back from the datasheets (read the bootloader sources, they ARE available).

Caveat:
Never rely on the "security" provided by manufacturers.
Some of the chips do have backdoors.
Some of the chips do have bugs.
Many of the "security" measures can be overcome by using them outside specifications (e.g. using carefully designed glitches on power or other pins).
Any of such chip can be cracked open and the state of FLASH/ROM can be read out using a proper microscoping technique (not easy nor cheap but there are "services" doing this; the pricetag is said to be as low as in the order of $1000).
There are chips labelled as "secure" used mainly in smartcards, which have _some_ countermeasures against such practices. Also, there is a range of chips from Dallas where security is achieved by on-the-fly decryption of an externally stored encrypted version of the program; nevertheless even this scheme relies ultimately on securing the physical access to it.

I don't deal with legality, morality etc. of this, just describe the status quo. A great source of information is the security group in Uni of Cambridge, google for Ross Anderson.

JW