Ok, I used the current Maverick 2.6.35-rc1 kernel's config-2.6.35-1-generic and finished audited everything again after a couple of hours.

A number of config options are still needed for optimal hardware support, and since they should be added as modular where possible, there is by no impact:

CONFIG_TASK_DELAY_ACCT
CONFIG_OPROFILE_EVENT_MULTIPLEX
CONFIG_COMPACTION - needed for huge pages support
CONFIG_INTEL_IDLE - Y rather than M
CONFIG_DMAR - needed for newest Intel server boards
CONFIG_INTR_REMAP - needed for newest Intel server boards
CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS - saves I/O with GDB 6.7 and newer
CONFIG_IP_PNP - needed for network booting
CONFIG_L2TP_V3
CONFIG_NET_CLS_IND
CONFIG_BT_L2CAP_EXT_FEATURES
CONFIG_MTD_ONENAND_OTP
CONFIG_PARIDE_EPATC8
CONFIG_BLK_DEV_DRBD
CONFIG_CS5535_MFGPT
CONFIG_VMWARE_BALLOON
CONFIG_PATA_TOSHIBA
CONFIG_ENC28J60
CONFIG_R6040
CONFIG_DL2K
CONFIG_ROADRUNNER_LARGE_RINGS - "to allow for fastest operation,"
CONFIG_GIGASET_CAPI - "CAPI 2.0 driver interfacing the Kernel CAPI subsystem."
CONFIG_INPUT_APANEL
CONFIG_ISI
CONFIG_N_GSM
CONFIG_LP_CONSOLE - useful for certain setups
CONFIG_SPI_DESIGNWARE - as M not Y
CONFIG_SPI_XILINX
CONFIG_HP_WATCHDOG
CONFIG_REGULATOR_FIXED_VOLTAGE
CONFIG_DVB_USB_EC168
CONFIG_SND_AC97_POWER_SAVE_DEFAULT - set to eg 3
CONFIG_SND_HDA_POWER_SAVE_DEFAULT - set to eg 3
CONFIG_SND_USB_UA101
CONFIG_USB_DYNAMIC_MINORS - "needed for more than 16 of a single type device"
CONFIG_USB_SISUSBVGA_CON
CONFIG_USB_G_MULTI
CONFIG_ASYNC_TX_DMA
CONFIG_OTUS
CONFIG_VT6655
CONFIG_LOGFS
CONFIG_NFS_FSCACHE
CONFIG_ENABLE_WARN_DEPRECATED - better to have these messages in the build logs
CONFIG_ENABLE_MUST_CHECK - better to have these messages in the build logs
CONFIG_HEADERS_CHECK - better to have these sanity checks on userspace headers
CONFIG_EARLY_PRINTK_DBGP - needed for console on modern servers/laptops without serial ports
CONFIG_IO_DELAY_UDELAY or CONFIG_IO_DELAY_NONE - to avoid port I/O side effects. Currently non-recommended port 0xed is selected.

There are configuration options which are unmaintained and are best disabled to minimise later bug exploits/attack surface (particularly eg in server environments). Largely for old userspace libraries which haven't shipped with distros for some years - udev rules can be quickly updated if needed during the dev cycle:

PROC_PID_CPUSET - legacy
CONFIG_PERF_COUNTERS - obsoleted by CONFIG_PERF_EVENTS
CONFIG_AMD_IOMMU_STATS - more useful for debugging driver
CONFIG_X86_MCE_INJECT - only useful for testing and exposing more attack surface
CONFIG_K8_NUMA - X86_64_ACPI_NUMA takes priority rendering this useless
CONFIG_PM_TEST_SUSPEND - debug/test code
CONFIG_ACPI_PROCFS - "For backwards compatibility"
CONFIG_ACPI_PROCFS_POWER - "For backwards compatibility"
CONFIG_ACPI_PROC_EVENT - "Say N if your user-space is newer than kernel 2.6.23 (September 2007)"
CONFIG_ACPI_APEI_EINJ - "used for debugging"
CONFIG_X86_SPEEDSTEP_CENTRINO - "deprecated and now merged into acpi_cpufreq"
CONFIG_NF_CONNTRACK_PROC_COMPAT - "for old programs"
CONFIG_IP_NF_QUEUE - "obsoleted by CONFIG_NETFILTER_NETLINK_QUEUE"
CONFIG_IP6_NF_QUEUE - "obsoleted by CONFIG_NETFILTER_NETLINK_QUEUE"
CONFIG_BRIDGE_EBT_ULOG - "obsoleted by CONFIG_NETFILTER_NETLINK_LOG"
CONFIG_L2TP_DEBUGFS - "used to dump internal state of the l2tp drivers"
CONFIG_IRDA_DEBUG - "write debug information to your syslog."
CONFIG_NL80211_TESTMODE - "ONLY for kernels that are specifically built for things like factory calibration or validation tools"
CONFIG_CFG80211_REG_DEBUG - "debug regulatory changes."
CONFIG_CFG80211_WEXT - "for old userspace for wireless extensions with cfg80211-based drivers."
CONFIG_WIRELESS_EXT_SYSFS - "deprecated wireless statistics, for eg old versions of hal"
CONFIG_MAC80211_DEBUGFS - "extensive information about the internal state of mac80211"
CONFIG_MTD_DOC2000 - "This driver is deprecated by CONFIG_MTD_NAND_DISKONCHIP"
CONFIG_MTD_DOC2001 - "This driver is deprecated by CONFIG_MTD_NAND_DISKONCHIP"
CONFIG_MTD_ONENAND_VERIFY_WRITE - "NAND verification disabled in other drivers"
CONFIG_PNP_DEBUG_MESSAGES - "to produce debugging messages"
CONFIG_SCSI_PROC_FS - "legacy support"
CONFIG_AIC7XXX_DEBUG_ENABLE - "for diagnosing driver errors."
CONFIG_AIC79XX_DEBUG_ENABLE - "for diagnosing driver errors."
CONFIG_SCSI_MVSAS_DEBUG - "driver prints some messages to the console."
CONFIG_IEEE1394 - "superseded by the newer firewire-core driver."
CONFIG_IEEE1394_DV1394 - "unsupported. functionality is now provided by raw1394"
CONFIG_8139TOO_PIO - "If unsure, say N."
CONFIG_PRISM54 - "deprecated in favor for p54pci."
CONFIG_LIBIPW_DEBUG - "debug tracing output"
CONFIG_IWLWIFI_DEVICE_TRACING - "Y here to trace all commands, including TX frames and IO accesses"
CONFIG_IWM_TRACING - "trace all the commands and responses between the driver and firmware"
CONFIG_ISDN_I4L - "Old ISDN4Linux (deprecated)"
CONFIG_ISDN_CAPI_CAPIFS_BOOL - "udev fully replaces it. scheduled for removal."
CONFIG_INPUT_MOUSEDEV_PSAUX - "legacy /dev/psaux device"
CONFIG_LEGACY_PTYS - not needed for a long time
CONFIG_VIDEO_CPIA - "DEPRECATED. please use the gspca cpia1 module instead."
CONFIG_USB_QUICKCAM_MESSENGER - "DEPRECATED. use the gspca stv06xx module instead."
CONFIG_USB_ET61X251 - "DEPRECATED. use the gspca zc3xx module instead."
CONFIG_VIDEO_OVCAMCHIP - "DEPRECATED. use the gspca ov519 module instead."
CONFIG_USB_W9968CF - "DEPRECATED. use the gspca ov519 module instead."
CONFIG_USB_SN9C102 - "DEPRECATED. use the gspca sonixb and sonixj modules instead."
CONFIG_USB_STV680 - "DEPRECATED. use the gspca stv0680 module instead."
CONFIG_USB_ZC0301 - "DEPRECATED. use the gspca zc3xx module instead."
CONFIG_SND_SUPPORT_OLD_API - needed only for old ALSA libraries ver.0.9.0 rc3 or before
CONFIG_INFINIBAND_AMSO1100_DEBUG - "Select this if you are developing the driver"
CONFIG_XEN_COMPAT_XENFS - "only for old XEN userspace tools, now superceded"
CONFIG_THINKPAD_ACPI_DEBUGFACILITIES - "completely useless for normal use. Say N here, unless you were told by a kernel maintainer"
CONFIG_QFMT_V1 - "This quota format was (is) used by kernels earlier than 2.4.22." - supports 32-bit limits only
CONFIG_SMB_FS - "OBSOLETE, please use CIFS", not maintained so additional security implications
CONFIG_STRIP_ASM_SYMS - "prevent pollutnig the output of get_wchan() and suchlike with internal assembler-generated symbols"
CONFIG_CPU_NOTIFIER_ERROR_INJECT - only needed for debugging cpu notifier infrastructure and potential security implications
CONFIG_OPTIMIZE_INLINING - potential performance loss: see http://lkml.org/lkml/2008/11/14/203