Re: Building a more secure system than Android shouldn't be hard
a) Your GSM would of course run on a separate processor with only a well defined and simple interface to your main computer. Think of AT-Commands over a serial interface. All GSM stacks support that out of the box.
b) Memory protection might be one of the few things to add as a feature, however it can only protect you from mistakes. You will never ever be able to trust third party applications. That's what I mean with "misunderstanding sandboxes". Since Rowhammer(JS) we have learned that sandboxes simply are not able to contain malware securely. However there are alternatives. One would be to use the handset as a simple terminal for a server based service. Those protocols can be extremely simple. Or if you desperately need local software that cannot be audited, you can use a separate second computer inside your handset. This may sound absurd at first, but it's precisely what the SIM is doing for several decades now.
The current way of doing things, where you have an operating system running apps from untrusted sources, hoping you can somehow secure them by sand boxing simply does not work.
It's probably best to have a small memory card installed inside your handset which does contain the operating system and additional programs you trust. This card then is hardware protected to only be read from the handset. If you want to install additional software or updates, you need to take it out, place it into a different device and access it. The same can be done with a hardware switch for which you need to open the device. If an attacker already has physical access to a device, there's virtually nothing you can do to secure it anyhow. (at least not on a size budget compatible with a mobile phone)