I don't follow the reasoning behind this - even in a verified boot scenario you can just choose to not load the offending kernel module without compromising security.