Ksplice provides updates without reboots

Nice idea, but if they did hire real security experts, I suspect that said
experts would much rather spend time on interesting things such as better
security frameworks rather than the incredibly dull gruntwork of poring
through an ocean looking for sunken turds. And the ocean is always growing
far faster than any plausible population of security experts hireable by
one organization can possibly audit them.

It would be very dispiriting for the poor sods so hired: and the net
effect? Sure, security would go up --- but from the point of view of the
alien beings who work the money levers, they'd be paying money to get back
reports of bad security, upgrade hassle for their customers, and bad PR
whenever MS decides to do one of their fallacious 'count the CVE'
Windows-has-better-security PR pushes, but the number of vulnerabilities
probably wouldn't fall all that far, because new code is still arriving
far faster than it could be audited.

Worse yet: a huge amount of security-dangerous stuff isn't in the kernel
at all, but in higher parts of the stack which talk to the network. I'm
certain you couldn't hire enough security experts to audit Firefox and
everything underneath it, and as long as that remains problematic
attackers will still be able to run arbitrary code with the privileges of
a user. (And, TBH, that's all they really care about. They can keysniff
your browser and send their spam without grabbing root...)

But perhaps I'm being too cynical. At least the common core of the kernel
that everyone runs (mm, fs) could probably be kept somewhat more hole-free
than other parts, as it doesn't change all that fast. But I look at other
operating systems, run by people who *do* hire security experts, and I
look at their security records, largely as lamentable as ours, largely in
userspace, and I wonder if it would really help.