``[an iptables config text file] will work on pretty much any Unix system in existence - provided of course that I know where that particular flavour of Unix keeps it firewall config''
Er, no. Not unless you assume that all unix in existence is linux 2.6. Before 2.6 they used ipchains and before that... something else. By contrast, FreeBSD support ipfw(2), ipf, and pf. You can even mix them to a point, though your rulesets will become... interesting, but you can do it, and sometimes it's even useful to do so. I like ipfw2 and pf both for their routing table style lookup ability, meaning that you can do ip/range blacklists efficiently. The closest to ``universal'' packet filtering would probably be openbsd's pf.
Not contesting the sendmail dig, I'm not even trying to read, much less write, sendmail.cf myself. Plenty people _do_ roll their own and without m4, though that also means they're sendmail specialists and can make good money doing it. Personally, I'll pick a different MTA. The fact that I can means more power to me.
For an ``unreadable text'' format I'd point to XML first. Mostly because it's overly general, overly verbose, overly hyped, and often abused by people who shouldn't be let near designing formats at all. As a developer I can think of many formats that are simpler and faster to parse and develop parsers for. The belief that XML will make everything magically better, as too many developers, managers, and other silly people hold, makes it snake oil.
From what I heard about puppet is that it's an useful approach, but certainly the only one. cfengine is something of a low-level, experts-only, very unix-y remote automated scripting tool. You might take a look at arusha (ark.sourceforge.net) that builds on that and offers another take on what puppet does. Though it uses XML extensively. Oh well, can't have everything.
I'd still like to know how to poke windows boxes remotely from unix boxes running scripts. Through the remote registry, exec-over-rpc, or what-have-you. One of the things I'd want to have, eventually, is some cron job updating the latest in emergency micros~1 patches onto a unix server for review, then lets me push them out through perhaps another script onto the windows boxes. There are various tools to do parts of that around, but I haven't gotten around to hack them so they'll work sensibly as scripted components in a POSIX environment and glue it all together. I'm a bit surprised if nobody else managed that before; the protocols should support it though they're exceedingly obscure and rather painful to work with. But maybe I just haven't been looking enough.