The remote offices may be fortunate enough to be in the service area of the same fiber provider, so they connect back to HQ via an AES256 VPN handled by the main firewalls. Offices in other areas may still be connected via T1 or fractional T3, smaller sites by standard VPN. There are no backup lines because the cost is prohibitive and ISDN won't provide anywhere near the bandwidth required to run those offices today. Each office peels out a portion of their fiber connection for Internet connectivity, so Internet traffic doesn't flow back to HQ. This requires that Internet policy maintenance be implemented at each site, not just HQ, which can be costly depending on the type of solution in place.
In this scenario there is no physical separation of anything; it's all controlled within the firewalls and switches. The core switches are carrying trusted and untrusted traffic and in places trunking that traffic to virtualization hosts, edge switches, and so forth.
From a convenience standpoint, this might make sense. If your admins are absolutely grade-A, top-notch, it might make sense. For everyone else, it can quickly turn into a disaster as even a casual attitude regarding switchport assignments and allowed VLANs on trunks can open up security holes the size of volcanoes. Lacking that physical separation, mixing trusted and untrusted networks can be a nightmare if you're not careful, and a nightmare even if you are. Just because you can do something doesn't mean you should.
But the cost savings can't be argued with. Terminating remote-site VPNs on the same device that also controls local DMZs and Internet access has significant benefits these days, especially if those remote sites can play on the same provider network. Suddenly, a high-speed WAN is as cheap as dirt. It's also necessarily more complex from a configuration and administration standpoint. That doesn't mean don't do it; it means do it right.
The moral of this story is that even though the transports are different, the overall architecture shouldn't vary: Physical separation of trusted and untrusted networks should be sacrosanct.
Now get off my lawn!