I don't know much (if anything) about it, but it can be turned into an interesting thought experiment.

Let’s use Apple as an example, as they tend to do major transitions on a regular basis.

So, let’s say that the top tier already approved the new security mode(l).

Now, how to do it?

My understanding is that most if not all APIs would have to be changed or replaced. So that's pretty much a new OS, that needs new apps (if the APIs change, you cannot simply recompile the apps).

Now, if you expose the existing APIs to the new OS/apps, then what's the gain?

And if you don't expose them, then you basically need a VM. I mean, I don’t know Darwin syscalls, but I suspect you might need new syscalls as well.

And so you end up with a brand new OS that lives in a VM and has no apps. So it's likely order(s?) of magnitude more profitable to just harden the existing platforms.