My preferred fix would be module signing. If the required key was either not present, because I compiled the kernel elsewhere, or securely shredded then loading the module would fail and there would be a nasty message in the kernel log.
Real experts could just replace the kernel too but script kiddies can't. I can't afford to implement write protected /, /usr, kernel image, etc. If udev or systemd can't cope then I would use something simpler which can.
My personal firewall machine (original pentium with 2 * 10/100 ethernet) uses a kernel does not support modules, period. I don't need SecureBoot to stop you loading modules on that box :-)