grsec is nice. custom kernel and signing binaries. its a massive job.
avoid binary blobs, you dont know mike whats in the blob.

audit the source and package, use IDS (NIDS/HIDS). audit binaries also.

use decent network devices like something which gives you sources.

switch to opensource networking devices. viz openwrt or debwrt
to protect your network(ing) assets. if your networking assets are
compromised when no matter what you do your system will also
get eventually compromised.

"audit your system and network on 6 hour basis. " automate this
process.

ask application/device vendor for the source code. and audit it.

lastly the bios. its a PITA, try to go for devices which support the idea
of open source bios. disable computrace. computrace is a menace.

lastly security is not a blackbox device, that you install it and forget
everything else. you need to be proactive and must audit it to your
fullest capacity/capability.

look for the hardening guidelines, if you harden your OS, thats
the first step. then harden the hardware second step. then harden
your networking applications viz routers and switches.  then harden
the operation. use strong authentication methods. and lastly have
preying eyes to know who is preying on you. this proactive
approach can help you more than anything else.

lastly look for more information on the web, on what is the threat
scenario and what is/are the counter measures.

hth!
thanks!
-paul