as a security professional I will state that there is a HUGE amount of "Security Theater" going on. it's not possible to defend against absolutely everything, and it is not always desirable to do so.
Everything is a risk, the only way to really secure your computer is to turn it off, unplug it, wrap it in a faraday cage, and then start working on physical security. Since such a machine provides very little value to people, everything is a matter of what level of risk you are willing to take.
running a 'allyes' kernel publicly exposed to attackers (i.e. on the Internet) is a very bad ideal. You want your Internet exposed devices to have as small of an attack surface as possible, and this means disabling features that you don't need. The distro kernels tend to marginal in this area, they enable just about everything, but do so as a module. so it's not always loaded, but some action can cause the kernel to think it's needed and then the module will be auto-loaded.
you need to understand the risks, and then evaluate the risks, not just think "risk == BAD"