It would be interesting to find out if there are any modules / api’s, coding, etc. in the rest of the 2018-001 update that have any dependencies on the updated kernel. It could be that the kernel portion is more stand alone and only addresses the cpu vulnerability. But if the updates are meant to work together, then we could have a potential problem somewhere. I’d be curious if we could come up with a hack similar to Boot64 that would prevent the kernel from being overwritten. Or even possibly script it to put the old kernel back prior to reboot or during reboot. Like a boot audit that interrupts the startup long enough to verify the kernel, and replaces the kernel with the old one if it determines that it’s not there. And then rebuilds the links as needed.