Grsec has been removed from many projects because of trademark dilution or something. Maybe grsec should revoke the license for using outdated grsec when compiled in future operating systems.
More open source projects would be more likely receive money if right after the EULA page in the installer, it listed the amount paid to each open source project (to paraphrase The Simpsons, zero is an amount). (although the EULA text for many installers include a portion that people are supposed to remove)
Despite that, projects backed by large groups aren't that secure. According to Zerodium price chart, the manpower cost to create a remote jailbreak exploit for Android and Windows is less than one manyear, which should be severely humiliating. Or at least there should be humiliating memes circulating.
Google makes billions. Apple makes billions. Microsoft makes billions. Black Lives Matter receives a hundred million. There might be a psychological factor in paying someone to work for you who you can't actually boss around. This has impaired the global economy.
Those billions go without saying, come from somewhere. Celebrities promoted Tor, but there hasn't been much done to improve internet security, particularly since they are popular victims (actually many were wiretapped by Anthony Pellicano). Sure, there was the Trustworthy Computing Initiative, and the Core Infrastructure Initiative, but somehow the Open Handset Alliance didn't produce a secure operating system. There exists the concept of consumer cooperatives, but most nonprofits are nearly as democratically run, and somehow we ended up with the great reform of moving metadata collection to the telephone companies in a democracy. Many non profits could stand to explain their large allowances for travel.
Subgraph OS exists, but it doesn't aim to be amnesiac or allow for non-Tor use. Very few other operating systems seem to achieve that degree of hardening.
Let's consider the math for this. You can include strong security features, but it would cost 50% more time or something. According to the pareto principle, 80% of time is spent on 20% of problems, although I wouldn't know the applicability to software. Some time ago, Cloudflare didn't realize an html parser was crashing, and when they improved the performance of it, it resulted in Cloudbleed. Just in time compilation on browsers have shown to have problems.
Personally I think a hybrid kernel based on KVM would be best, but I don't know anything. At least it would allow the user to set certain applications as amnesiac. Obviously any application that can make arbitrary connections is untrustworthy.