Lofty goals
<quote>To achieve a guarantee of security it must contain no mistakes or vulnerabilities whatsoever in the kernel, which controls the rest of the modules of the system. As a result, the core must be 100 percent verified as not permitting vulnerabilities or dual-purpose code.</quote>
Even if there's no mistakes, that doesn't mean there aren't vulnerabilities. Flaws that haven't even been thought of yet may still come out, also since no router is an island it may well still get compromised in the future.
That's not to say it isn't worth the attempt, it is. It's just I'd never be so arrogant as to assume that just because my own team can't find a flaw, that it means it doesn't exist. (Oh and the dual-purpose code, doesn't that fly in the face of 'keeping it small' since that pretty much bans code reuse or having a function that achieves a few different things, Or have I missed something?)