To me the issue is people pushing new kernels to the repos but not being able to provide the same level of support that we have for mainline. Offloading out-of-tree module rebuilds to end users instead of doing it ourselves is clearly not the right solution.
So I say: remove each non-mainline kernel of which the maintainer is unwilling to support the corresponding out-of-tree modules. After all, as Allan points out, rebuilding them is a simple script job...
Cheers.
In general, out-of-tree modules aren't compatible with linux-grsec. It is not enough to simply rebuild them. It would require actively keeping them compatible by maintaining patches for them and possibly working with the upstreams for the out-of-tree modules for cases where bugs are being uncovered rather than false positives / tweaks for compatibility. Some out-of-tree modules aren't going to be compatible with the chosen configuration at all, similar to how Xen support is disabled in favour of having the hardening features marked as incompatible with it. The NVIDIA driver and broadcom-wl need to be patched and and VirtualBox is semi-incompatible with the chosen configuration. AFAIK, users would need to rebuild the kernel with a couple options disabled for all the VirtualBox features to work.