Security is a major concern. Every major Linux distribution uses signed packages. But the FreeBSD systems in the office downloading unsigned packages/ports via FTP.
Is there a solution that would allow me to securely update a *BSD on a malicious network?
Use freebsd-update for official binary system updates.
When you upgrade packages from ports (e.g. with "portsnap" and "portmaster" like I do) the packages' source-files ARE signed with SHA256 checksums and verified before compilation, so I wouldn't worry about that.
Since it seems you're very much security-aware, I'd go with compiling ports from signed sources if I were you anyway.