Immutable systems are not for security reasons: as long as you have anywhere writeable space, and all "immutable" systems I'm aware of have this, an attacker will always find a way to install his malware. This may stop script kiddies, but not more. 
I proved that in the past often enough when people told me that XYZ is more secure than MicroOS, since XYZ claims malware will not survive a reboot.

And with the current SELinux policies nobody will prevent you from running new scripts/applications, since nobody writes a policy for every single application. With SELinux you can only prevent known existing applications from doing things they shouldn't do.

If you want real security, you need remote attestestation. This will verify every executable with a remote, trustable source, if it is on a white- or blacklist and if the executable is modified or not.
We provide that already with openSUSE MicroOS today (system roles with keylime during installation), but I doubt anybody is really using that.

So the features you need are the, you just need to configure and use it.

  Thorsten