Last time I tried it was a pain to setup and a pain to use, but as a sysadmin there is a lot of thing that share those attributes. The only question if its worth it. If the current avalanche of patches continues it might.
I presume you are referring to the GrapheneOS post/thread about this[0], although this implementation is not the same implementation we see on Fedora or Debian for example and it appears these distros were (and are) still vulnerable to this exploit, with the out of the box configuration of SELinux on these systems.
I still need to troubleshoot from time to time, but I never reach for permanent setenforce 0 anymore.
You can run emerge -u sys-kernel/whatever-kernel-u-use, maybe followed by `cd /usr/src/linux; make bzImage modules install modules_install...` well, probably you'd use genkernel or something like that, instead of hand-crafted scripts.
The point is: `emerge -u @world` can run into issues esp. if you customized a lot, it can't be automated fully, but I've never run into any issues with updating the kernel, and it can be automated.
It is not so hard to upgrade kernel, the issue is with the reboot you need do automate. Or with live patching, which doesn't seem encouraging, as you say.
How about strong virtualization? https://qubes-os.org