remember that we are not talking about POSIX capabilities that your programs all need to know about.
We are talking about features that you can turn off to lock your machine down (protecting it even from root)
I would expect that there will be one program to do this, and it will probably be executed exactly once per boot cycle. (unless it's a developers machine)
So saying that if you upgrade the kernel and are trying to lock down the machine, you need to check for new lockdown flags that may have been introduced and decide if you want them doesn't seem at all unreasonable to me. In fact, it sounds like what would happen anyway with anyone competent dong a kernel upgrade, you would check new kernel compile options to see if something new pops up that may be a problem.
Look at the namespace features for a perfect example.