/dev/mem
There have been a number of kernel rootkits that used /dev/mem, namely phalanx and phalanx2, written by Rebel. This device has also undergone a number of security patches. Currently, it is present on all systems for backwards compatibility, but only the first 1 MB of memory is accessible, primarily for legacy tools used by X Windows.
FreeBSD /dev/kmem
On some OSes such as FreeBSD, the /dev/kmem device is still available and is writable by default. There is even an API specifically designed for accessing it, and there's a book called Writing BSD rootkits that demonstrates its abilities.