I think it comes down to how everything gets packaged. If you build a system using Linux then if you want DRM code that people don't get to see the source to then it has to be in your application or in a binary loadable module (because building it into the kernel would require changing the GPL protected code and therefore require you to ship you DRM changes). In both cases if someone can get at the kernel binary and replace it they can bypass the DRM.

eCos on the other had is designed to have third party code built into it at compile time. Therefore you can end up shipping a single binary so someone can't just swap in another kernel.

Of course this difference is fair moot if you encrypt/sign the binaries and have you permanent firmware only load signed binaries. I'm guessing that the Karma probably does something like this anyway.

IANAL