If I recall a true secure phone is difficult. According to a infosec presentation I saw. The problem is the mobile chipsets that are closed making auditing difficult. Most diy mobiles use these chipsets.
Further the chips are able to run mini applications and these can be pushed by service providers with no real way preventing it from the OS level.
Most of the insecurity stems from the baseband. It's a black box processor with unfettered control. Once you get rid of that, the rest of the hardware is more like a general computer. Getting PCs to work with an entirely free stack is also hard, but tractable. Replicant already does a good job with some old phones.
Further the chips are able to run mini applications and these can be pushed by service providers with no real way preventing it from the OS level.