Re: As long as it runs Android...
And now to address each point:
1) Most Andorid handsets come bundled with (closed source) vendor bloatware. Some of which can be disabled some of which cannot. Possibly not the fault of the OS, but thats the way it is.
These are vendors interested in data mining. This one is figuring on the opposite, so bloatware should be reduced to just Silent Circle and a few essentials.
2) Android is not really open source. The source code/apis for dual SIM functionality has never been released.
Got any better alternatives besides the Android Open-Source Project? Ubuntu's too new, QNX has to be licensed to use, and Blackberry's in limbo. Besides, do any of them support dual SIMs? The main reason it's not community-supported goes to your next point below.
3) Modem/radio part of the firmware tends to be vendor specific. Lots of scope for NSA abuse there. (Maybe not part of the Android OS but you won't get far without it)
If you can't trust the radio or modem chip, you're basically screwed since these chips are usually patent-encumbered meaning an open version of such won't exist. And if it's not the NSA poking backdoors in the hardware, it's their Russian or Chinese counterparts. Why not just X-ray each lot that comes in to make sure their pattern matches a known-good spec?
(Going back to dual SIMs, there's more than one way to make it work. Dual SIM controllers are as closed as radio and modem chips. THAT'S why they're not community-supported.)
4) Even in a stripped down Android with no Gapps (including Cyanogenmod) it reaches out to Google servers. Specifically clients3.l.google.com (check getDefaultUrl() in the ConnectivityService). This at the moment is fairly harmless, but could be exploited in the future and there may be others.
Is this true even of non-Google Android devices like the Amazon Kindles and B&N Nooks? Besides, something like that should be easy to edit in the source. It's just that many open-source distros don't bother.
5) Apps can and do request lots of permissions. These cannot be turned off. You either install the app or you do not. Is it the OS role to police the apps? Maybe not, but it could be improved. Like disabling perm by perm after installation.
Not even with App Ops or a similar security program? And there are versions that work with the latest Android 4.4.2 KitKat.