> How is having the device counts as a security feature..?

It means it can be granted or hidden per-chroot.  It means it can have
its permissions twiddled (no chmod/chown-alikes for sysctl).  (The
latter is admittedly fairly pointless for veriexec with its explicit
suser, but I think the point is valid more generally.)

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B