The linux kernel is a security shit show, but it is the only compatible option in most cases. You can at least strip it to the bone, apply Kernel Self Protection Project guidelines, and run it offline in TEEs or HSMs for your most sensitive operations. This is approaching as good as we will ever get.
Linux is a massive C codebase one can never /fully/ trust or harden and high security applications with sufficient resources should favor formally verified microkernels like SeL4 whenever possible.
It is true that Linux rules the world and is absolutely the right platform for a huge number of projects. I'm not saying "Linux is bad, reach for something else." I'm saying "Linux is the foundation for basically the entire computing landscape so the industry needs to take a real hard look at finding a way to make it safe."
I think it can be done. But I think it needs industry-wide effort in a huge way.
Linux is a massive C codebase one can never /fully/ trust or harden and high security applications with sufficient resources should favor formally verified microkernels like SeL4 whenever possible.