Focusing on the wrong thing
Hey, I like a good solid round of Microsoft thrashing as much as the next guy, and don't get me wrong, I think Microsoft's approach to security is a bit like putting a high-security Medeco lock on a glass door, but...
If I become the king of the world and start calling the shots, one of the things I'd do is to make ISPs more responsible for handling their share of the problem.
It'd go a long way if ISPs, rather than simply pulling the plug on malware sites and being done with it, were required to freeze the contents of such sites and drop an email to law enforcement. Not asking them to do any more than that--just click a few buttons--and I realize that a lot of the sites (and malcreants) are outside the range of Western law, but it'd help.
Laws making ISPs financially responsible for knowingly hosting malware, with the presence of at least one complaint email to the ISP's abuse@ address constituting prima facie evidence of knowingly hosting malware, would remove the financial incentive to host such malware. It's surprising how many ISPs, even right here in the US, will respond to "you are hosting virus downloaders" with "yeah, so?"
The C&C traffic for many botnets is well understood. ISPs can do filtering and deep packet inspection to look for P2P traffic but they can't do anything about botnet command and control traffic? You hear that sound? It's the sound of the world's smallest fiddle playing in sympathy for the poor overburdened ISPs that have plenty of time to play lap dog for the RIAA by searching for college kids downloading the latest Metallica track but can't do anything about large-scale organized crime activity on their networks.
This kind of crime is economic crime. There are a surprisingly large number of ISPs, many of them located in the US, that benefit economically in direct and indirect ways by facilitating that crime. A bit of economic liability would probably do a lot to make the problem evaporate.