How effective is Windows KDP for exploit mitigation in practice?

Windows Kernel Data Protection is a kernel security feature which appears to use Extended Page Tables (EPT, a hardware virtualization feature) to enforce read-only pages. How effective is this at protecting from kernel exploits in the real world? Is this an effective mitigation, or security theater that only causes attackers to think a little more about which data structure they want to overwrite? Would it be correct to say that it is similar to the controversial LKRG for Linux (a stupid kernel module that scans sensitive kernel data structures for changes), except that rather than attempting to detect compromised kernel data structures post-exploitation, KDP enforces write-protection using EPTs? According to Microsoft's Base Kernel Team: Kernel Data Protection (KDP) is a new technology that prevents data corruption attacks by protecting parts of the Windows kernel and drivers through virtualization-based security (VBS). KDP is a set of APIs that provide the ability to mark some kernel memory as read-only, preventing attackers from ever modifying protected memory. For example, we’ve seen attackers use signed but vulnerable drivers to attack policy data structures and install a malicious, unsigned driver. KDP mitigates such attacks by ensuring that policy data structures cannot be tampered with. This makes it sound like KDP is designed to prevent an attacker with an arbitrary write vulnerability (but not arbitrary code execution) from modifying the kernel in such a way that they could then gain arbitrary code execution through loading a new driver. But if an attacker already has arbitrary writes, aren't there so many more data structures an attacker could overwrite that are not protected to gain code execution? Even if it's not only driver policy data structures that are protected (is it also all of the kernel's text and rodata sections in addition to specially-chosen data structures like driver policies?), this seems completely inadequate against an attacker with an arbitrary write primitive. The reason I ask this is because KDP appears to me to be an attempt to work around the fact that vulnerable kernel code (typically vulnerable driver code) runs in the same address space and at the same privilege level as the rest of the kernel. That seems like a losing battle.
http://dlvr.it/Rzn4tB