A long time, because it's been around "forever" and yet has gotten only a very little traction because it is hard, and for most things lack of verification is "good enough".
What you may see more of is the approach taken in this project: Formally prove a tiny kernel that mediates system access, and sandbox everything else.
Though arguably, we're on our way to make that much easier through increasing support for varying levels of virtualization and finer grained authorisation (capabilities etc.), which means this approach will be able yield benefits even for software without a formal proof for the part that mediates system access.
What you may see more of is the approach taken in this project: Formally prove a tiny kernel that mediates system access, and sandbox everything else.
Though arguably, we're on our way to make that much easier through increasing support for varying levels of virtualization and finer grained authorisation (capabilities etc.), which means this approach will be able yield benefits even for software without a formal proof for the part that mediates system access.