Kees Cook has been beating that drum for the last year, and he has made some questionable claims:
There have been some bugs which have been found after years of exposure, but the claim that bad guys have been taking advantage of them all that time is absent proof. Where are the 100,000 Linux zombie bot farms? Where are the thousands, or even hundreds of cases of a long lasting bug being exploited? The last Linux zombie bot farm I read about was found about 10 years ago and it consisted of 700 Linux boxes which had very poor or no root passwords. A team of six bad guys, IIRC, worked a dearjohn password cracker for six months to accumulate that meager farm. Linux boxes are prized as control boxes which feed instructions to thousands of Windows zombies precisely because Linux boxes are so difficult to break into when properly configured. I.E., they have a proper password, their package are up to date, and they have an active, well configured firewall.

The "got root" bug found two years ago after being in the wild for five years can't be attributed to any breakins I am aware of. The security expert who crowed about this bug did so to claim that Linux was just as insecure as Windows. However, note that "An attacker who can run code of his choice in the kernel can easily promote himself to the all-powerful Linux user called root." Well, to run the "code of your choice in the kernel" you have to have access to the kernel. IOW, it is a local exploit. If you have local access just select the boot to root grub option, change passwords and then reboot. So many of these holes are local exploits, but not all. Heartbleed was not, but it was created by a PhD computer scientist and his doctoral student, who should have known better than to create a simple buffer overflow in SSL and let it wonder around the world for two years before it was discovered. Some suggest they were paid to put that bug in.

In the CVE database there are listed for 2016 (so far) a total of 102 Linux kernel Vulnerabilities and Exposures. Sixty seven of them are local user exploits. That's a total of 35 non-local exploits in 2016, so far. The Linux kernel is hardly as vulnerable as Windows, which has tens of thousands of exploits per year, and it runs only a fraction of the Internet that Linux runs. And the bad guys are not tripping over exploits left and right and raking in the cash or revealing secrets. The weak link is still social engineering - the part the works the keyboard.

I'm not against what he wants to do, make the kernel more secure, but he is slandering the work of 5,000 people who contribute to the kernel in order to promote his Kernel_Self_Protection_Project.

For years I've heard the old saw: "llinux doesn't get (pick one) virus, bugs, hacked, worms...

Based on reported problems, it seems the old saw is almost true.

Whether that was (past tense) because of lower usage figures compared to Windoze or because it didn't used to be worth hacking because there weren't (past tense) many valuable sets of information stored on Linux systems.

Now (present tense) there are a lot of valuable data sets running under Linux servers and certainly more individual Linux systems.

I consider my own data sets to be valuable, but probably not worth the effort to hack my business/home systems. Still, I'd like to know that the Linux kernel is designed to protect my data.

I think the Linux target has gotten bigger with time.

As you say, Greygeek, the keyboard operator is the weak link.

So, should the Linux kernel be made stronger? Does it have adequate security now? I cannot answer the question personally.