It is not possible to achieve the condition of disabling all vulnerable features.
Features that may be disabled through a browser's user interface do not comprise anywhere near the complete set of potential vulnerabilities.
Consider text handling. There is no switch to disable processing of multi-byte unicode characters, yet improper handling of these has been the vector for a number of client-side attacks involving delivery and execution of exploit payloads. The underlying problem of parsing streams of bits and turning them into data structures is not securely solved.
There is also what sounds like an assumption in the question that somewhere in a piece of software there is a secure base or core, that functionality accretes, that vulnerabilities exist only in new functionality, that what we have to do to improve security is disable only the new functionality.
This assumption is faulty. Functionality accretes, and with accretion comes complexity and with complexity comes new bugs, but it is not the case that older simpler functionality represents some sort of security ideal.
Newer code is very often written with greater discipline and maturity and awareness of risk, and is often in an absolute sense more secure.
Older functionality may have been secure for the time in which it was authored, but would not survive for a moment against attackers of today. Older code is often of far worse quality than newer code, surviving with known bugs and vulnerabilities only because replacing it is too daunting or complex to realistically contemplate. Security issues may be carefully hidden under layers of intended protections, but they are still present, awaiting a clever enough attacker to find a vector through which to exploit them.
In short, there is no non-vulnerable software. Of course people speak in black and white terms and refer to some features as secure and others as insecure, but it is more accurate to remember in discussions about security the old joke of running faster than the other guy when being chased by a bear.
Chromebooks will be "secure" as long as they're less popular and not Windows. Were Chromebooks the dominant platform in the ecosystem, the rate of discovery of vulnerabilities would dramatically increase. The vulnerabilities would be different in character than ones found on other platforms and so given the current state of knowledge are harder to find than those on other platforms, but they are still there.
This trajectory isn't just true for software, it may be observed in any realm of human functional endeavor. There are incentives to tear down old buildings in Tokyo, even sacred ones, because they represent a danger in the context of making the city more resilient against earthquakes. Cars that are more than 5-7 years old are relatively speaking manifestly unsafe in accidents compared to newer counterparts.
In the end, it isn't vulnerabilities that matter, but safety. It doesn't matter if at a particular point in time a given attacker can't find a weakness in a particular place in a specific piece of software. Attacks are conducted with goals in mind, often economic, and the landscape is rich enough that if one approach fails there are dozens of others that can be profitably tried.
The most common attack that people fall victim to is phishing, which may but doesn't have to exploit any particular piece of technology, beyond using it to engage the victim.
So a browser may not have an extent or discovered vulnerabilities but from a user's perspective that does not make it safe. Simplicity and reduction of functionality can reduce the attack surface and increase the cost of targeting a particular user, but there is no magic combination of settings a user can tweak to enable them to forget about safety.
I hope that was the actual question being asked.
