For those following along at home, I would suggest booting the grsec enabled kernel once - then saving the output of `sudo lsmod` into a file. Take every module you want (ie: all of them) and put the list into /etc/initramfs-tools/modules - then you'll need to run `dpkg-reconfigure linux-image-4.3.0-1-grsec-amd64` to ensure that those modules are in the initramfs at boot time.
This should allow you to disable all module loading and thus close a rather serious vulnerability: the ability to load kernel modules if you are root. If the attacker has to force you to reboot, it also means that the attacker has to leave a trace behind... First reboot and make sure that it works and if it does, then set the sysctl 'kernel.modules_disabled=1' in /etc/sysctl.d/grsec.conf to stop all module loading after that sysctl is set. This is also probably a fine time to have finished your grsec tuning and so you can also probably set `kernel.grsecurity.grsec_lock=1` as well. The above may not work for everyone - and you may want to trim the /etc/initramfs-tools/modules file to be less than the full output of `lsmod` - ykmmv...