Yeah. I fear the open-source side only ever catches up once something becomes commoditized, so the actual answer is probably that if you care enough you use a weird and slow phone built for this stuff (that Mozilla phone project?), you use whatever the current replacement ROM project is (I would hope one of Cyanogen et al would offer a carefully signed open-source build - I haven't actually looked), or you wait a few years.

Even if cyanogen was perfect, there's a closed source firmware running baseband processor with complete access to system memory, microphone, gps, and the network.