It is easier with something simpler, not something smaller. When you start doing extreme optimization for size, as in this case, you are going to do it at the expense of many things, checks being one of them. If you want to have good security, particularly for something that can be hit with completely arbitrary and hostile input like something on the network, you want to do good data checking and sanitization. Well guess what? That takes code, takes memory, takes cycles. You start stripping everything down to basics, stuff like that may go away.
What's more, with really tiny code sizes, particularly for complex items like an OS, what you are often doing is using assembly, or at best C, which means that you'd better be really careful, but there is a lot of room to fuck up. You mess up one pointer and you can have a major vulnerability. Now you go and use a managed language or the like and the size goes up drastically... but of course that management framework can deal with a lot of issues.