True, but the last time I checked (several years ago), the size of the portion of code that is not drivers or kernel modules was still 7 million lines of code, and the average system still has to load a few million more via kernel modules and drivers. That is still a phenomenally large attack surface.

The SeL4 kernel is 10k lines of code. OKL4 is 13k. QNX is ~30k.

You've still got combinatorial complexity problem though, because you never know what a specific user is going to load.