"One quick solution is to not allow anything in email to be executed."
They'll just find an exploit and go AROUND it, say by latching to another process.
"Something more drastic would be a very different OS architecture so, for example, your ransomware can't overwrite your office suite files because the server which is the only thing that can actually access the part of the disk with those files on it only responds to the office suite programs."
Then they just go for the server instead. There MUST be a way to ACCESS it, and if you can ACCESS it, someone else can hack it.
"But the banking spam, for instance, is very unlikely to have come from a pwned machine in the bank"
Meaning that'll be EXACTLY where it comes from.
"Not the only solution. What's required is to build trustable services on top of it. That wouldn't preclude the continued existence of untrustable services."
No, because trusted services on an UNtrusted medium open you to Men in the Middle. It's the Weak Link problem. You have to secure the ENTIRE thing, end-to-end, or the weak link pwns you.
Put it this. In today's world, the operative statement is "Don't Trust ANYONE...Not Even Yourself."