"Is it too much to ask for a commercial OS to come with maximal security as standard, not something that requires user/admin configuration."
Yes, it is. But fortunately for you, I have such a product available for purchase. It's guaranteed to make your computer unhackable, at least while it's running only this OS. You don't need to touch a single config file or even think at all about what you're doing with the machine to ensure the security. Sadly, in order to accomplish this, the following restrictions are present: you can't store or load any data in nonvolatile memory, you can't run more than one program at a time, and you can't communicate with any other system. I was originally not going to let you turn it on either, but I do like providing my customers with features when I can.
You're asking for a perfect solution, all on a system whose entire purpose is to be among the most versatile data processing equipment in the world. It's akin to demanding a lock that can never be opened, even when the perspective burglar has infinite time on their hands and access to high explosives, and oh yes you also want it to open in at most two seconds when and only when it's you who's entering. If you want physical security, you have to put some thought into what inefficiencies you'll accept, where you'll need security systems, and what processes you'll need to maintain them. Failing to do that is likely to give you a flawed system. It should be unsurprising that digital security has similar requirements.