Our basic model of operation relies on message passing between the OS kernel, process manager and other services.
There are potential local exploits in that area that wouldn't exist in a system where all drivers live in the same address space as the kernel. Of course, the potential weakness is outweighed by the demonstrated strength of this model, since embedded systems generally aren't overly concerned with local attacks.
Security policy and mandatory access controls dictate which processes can communicate with what other processes. Even if there is a security weakness in some driver and an attacker is able to gain access to the system, if they are unable to communicate with the driver, it will difficult to profit from the weakness.
For more information about the microkernel design and message passing, see the QNX Neutrino Microkernel and Interprocess Communication (IPC) chapters of the System Architecture guide.