My conclusion is that microkernels offer some protection from random reboots, but not much against hacking

Say the USB system runs in its own isolated process. Great, but if someone pwns the USB process they can change disk contents, intercept and inject keystrokes, etc. You can usually leverage that into a whole system compromise.

Same with most subsystems: GPU, network, file system process compromises are all easily leveraged to pwn the whole system.