Sounds like a job for an insurance. The customer decides how much they are willing to pay for how much coverage in the event of a security incident and the insurance decides, based on the sums involved and an evaluation of the customer's risk, how much money it is worth spending on auditing and on paying kernel programmers to fix bugs. It might also give a more-or-less reasonable metric for kernel security, perhaps also relative to other systems.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds