When a kernel mode fails, the system crashes because it has to, consider a scenario where this double-freed code is allowed to continue, maybe with an error message, maybe even allowing you to save your work.

With their Falcon sensor, Falcon is a security product, and while it's not just simply an antivirus, it's is not that far off the mark to look at it as though it's really anti-malware for the server, but rather than just looking for file definitions, it analyzes a wide range of application behavior so that it can try to proactively detect new attacks before they're categorized and listed in a formal definition.

The driver checks for updates and enumerates a folder on the machine looking for dynamic definition files, and it does whatever it is that it needs to do with them.

Executing untrusted PE code in the kernel is Risky Business at best and could be asking for trouble.

Windows in fact does offer a number of facilities like that going back as far as booting with last known good registry Hive, but there's a catch, and that catch is that CrowdStrike marked their driver as a boot driver, a boot driver is a device driver that must be installed to start the Windows operating system.