but then if you could assert the call graph (easily, or even provably correctly), then why not just cull the unused code that led to vulnerability in the first place?

With a statically compiled language it is usually culled through dead-code elimination (DCE), and with static linking you don’t ship entire libraries.