[hhw]

> See OpenBSD's refusal to add a MAC framework for an example of this. Jails also don't exist for similar reasons, though they are useful for reasons other than security.

I think you've incorrectly interpreted OpenBSD's intentions. OpenBSD doesn't support a MAC framework because they believe the best approach to security is correctness, rather than trying to achieve security by adding features which results in more complexity, making it more difficult to ensure correctness. A common mistake people make is thinking that OpenBSD's primary goal is security; their primary goal is correctness. This just happens to result in better security more often than not.