I just keep my prod systems clean, updated and SELinux in enforcing mode. Behind strict firewall of course. This is sufficient for practical reasons.

In proper devops teams, there is no even ssh access. System is deployed from image and configures itself. And is killed in scaling events.

Grsecurity is for hardcore stuff. Or openbsd, ultimate solution :)