Re: Two questions
"What the hell is Avast doing..."
You should note that this was an MS patch to a previously working configuration. Avast did something that MS-in-the-future didn't like. Failing to test that scenario isn't quite as lax as you suggest. It depends on how fully-featured and documented are the kernel hooks that MS (presumably) provide for AV vendors.
"Why is Microsoft allowing kernel patching at all?"
Because third-parties like to install drivers for specialised hardware and don't like paying MS to write them? I know a fair bit of hardware can run in user-space once MS have provided a generic driver for the relevant bus, but not everything fits that mold. Notice also that if you have Administrative rights on a Windows machine in user-space it is only a matter of time before you can override any restrictions on kernel patching.