"A surprising number of governments are now deploying their own custom malware and the end result could be chaos for the rest of us, F-Secure's malware chief Mikko Hypponen told the TrustyCon ( https://www.trustycon.org/ ) conference in San Francisco on Thursday.
'Governments writing viruses: today we sort of take that for granted but 10 years ago that would have been science fiction,' he told the public conference. 'If someone had come to me ten years ago and told me that by 2014 it will be commonplace for democratic Western governments to write viruses and actively deploy them against other governments, even friendly governments, I would have thought it was a movie plot. But that's exactly where we are today.'
http://www.scmagazine.com/trustycon-malware-expert -mikko-hypponen-kicks-off-conference-on-trust/arti cle/336089/"
The kernel isn't the single point of failure that you think. Just because I might run Debian doesn't mean that I am necessarily running a kernel packaged and released by Debian. We can, and some of us do, "roll out own" kernels. An exploit that exists on one Debian box, may not exist on another Debian box. And, of course, there are differences between distros. The paranoid who compiles all of his own software from source may share some vulnerabilities with the larger community, or he may even introduce some unique vulnerabilities, but you can't count on much or anything.