Re: Security questions...
second point fixes this for you:
you will be able to run only in command line mode (NOEXEC breaks Xorg, also disabling priviledged I/O breaks xorg)
If this is a server, you don't need Xorg/nvidia
If this is desktop you don't really need these hardening options
your requirement regarding "no modules" option is silly, grsec/pax protects against loading/unloading modules after boot. If your system was infected before you installed hardened kernel, then it is too late anyway.