Re-thinking about this again, it seems to me we could simply add a flags field in modinfo_t, with a bit that says "if this module is builtin, then don't load it". To use compat_xyz, you'll have to type modload, and the kernel will load the module from the builtin list.
Something like [1] (from memory, not tested at all). Obviously this patch is not complete, since we need to update each MODULE(). While it is clear that it does not solve the cross-dependency issue we're having, it does reduce the attack surface almost as much as if the module was not builtin, with very little effort. Cheap, but relevant. [1] http://m00nbsd.net/garbage/module/noload.diff