Instead of a specific technical answer to your question one thing I would consider if regulatory bodies are involved would be to look for existing hardening documents, scripts, tools from your auditors and see if there is a common pattern for OS choices that easily check all the boxes. Ask your auditors which OS makes audits easier for them and which of the hardening tools cause the least grief, require the least exceptions before looking at technical options. Just a suggestion from someone that may as well have moved in with the auditors for spending so much time with them.

After narrowing it down to 3 choices then present those choices to:

- Your legal team to review licenses before you put much effort into setting up automation frameworks, support tools, installation automation. They can be a buzzkill and I think some may secretly enjoy it.

- The people using that which you plan to administer. Let them play around with each option and get their feedback to maybe have happier group(s) of people to support. Test group 1, test group 2, test group 3. Let them compare and contrast.