In particular about "pattern of UAFs scattered throughout XNU", there was missing memory management of task_t references in the sample code for kext drivers. So it wouldn't be enough to just add the missing retain calls in the Apple XNU kexts, because there may be an unknown number of third party kexts out there. Perhaps not as many as windows has device drivers, but it's still the same type of thing. Can you imagine if every windows device driver turns out to have copy-pasted privesc bugs?

In fact I think there was a similar bug-in-the-templates requiring a world-wide recompile in Microsoft MFC/ATL, perhaps it was this one https://blogs.msdn.microsoft.com/vcblog/2009/08/05/active-te...