I think, it is more important & usefull to audit & harden/secure your
system, kernels (KSPP), services and applications with IDS/IPS (e. g.
Samhain), MACs like AppArmor, systemd-analyze security unit, secured
sudoers file, use of additional 2FA tokens and so on...
I agree with this strongly. I believe AppArmor is enabled and configured properly at install on recent Ubuntu. I stick with it. I worked with true MAC before SElinux, but I became a fan of RedHat's targeted-mode (IIRC), it's easier to administer than a true full SElinux environment but not necessarily intended for multi-user-login environments.
Also don't ignore Extended ACLs, though Im not sure if all filesystem types support them. They became standardised in SysV unix but not broadly used.
My hope is that some type of MAC becomes standard, default installation of linux someday. But not many agree with me I guess. I dont believe that the added administration work is a net loss. I dont find it any more complex than other admin work.