I want to be careful not to confuse between Keycloak and a few other suites like FreeIPA we (Latacora) tried because this was a while ago, way back when we started writing the IdP and I don't accidentally want to throw shade at another project, so mistakes mine... But the built artifact size is like, 10-100x larger. And that's a Go binary, so no cheating with e.g. grabbing an XML parser from the stdlib or something. You can much more plausibly audit the living daylights out of the Latacora IdP because it's tiny.
The Identity Mutilator is microscopic compared to Keycloak. It just does the two things it's supposed to do: let users log themselves in with 2FA, and then log them in to the applications they've been allowed to use.
My take is, if you were going to use Keycloak (or Shib or FreeIPA), you'd already be using Keycloak.