I guess I don't think that's the sole reason, as I think the incentives would still be in place even if Microsoft authored security software did not run anything in kernel space.

You mean in terms of third-parties wanting that level of access regardless? I agree, but it would be an easy "no" then.

In terms of Microsoft convincing regulators that they aren't and won't use any OS knowledge or private APIs ever.