People who are hopelessly addicted to the idea of doing everything in software may disagree, but seriously, the way to prevent malware infecting your OS is to make the core OS read only. The way to make that read only nature impossible to bypass with software is by making it a hardware feature. To allow for OS maintenence, then, you need a switch with two modes: normal and maintenance.
Consider a small SSD (16gig is plenty, even for multiple OS's). Suppose it is like you get in small laptops. That is plenty fast enough for any machine, even a big server (since anything that requires higher performance than a reasonalbe SSD should not go on the OS drive -- not all user software needs to go on the OS drive).
Now, this SSD has a two-way switch. One way is maintenance mode, the other is normal mode. In maintenance mode, the drive is read-write. Trivial OS support can be added (optionally bypassed, but on by default) so that, in maintence mode, the OS will boot to a maintenance environment (fully functional, but clealy marked as maintenance, or something similar). In this mode you can do OS updates, etc. Drivers do not need this mode to install, nor does user software. This is only for the Core OS files. Importantly, when back in normal mode, this Core OS is not writable, and thus the core binaries, kernel, and so on, can be trusted not to be corrupt (though possibly one should have a means of hashing the data so taht integrity can be verified: again this is a trivial hardware feature, since essentially you just have to stick an OS image in a partition on the OS drive when in maintenance mode, and the drive itself can hash the image.
So basically, you have a slightly modified small SSD for the OS drive, such that the core OS files are read only under normal operations, and ensure that this read-only nature is enforced in hardware with a mechanism which is easy to switch off deliberately, but impossible to get round without physical access. (And the abillity to check OS image hashes should be in the computer firmware.)