Nice idea, but...
Whitelisting is a fantastic idea, no worries there. But...
The idea of all malicious code running from executables is a flawed assumption. Take red-pill blue-pill for example. A cool way of getting kernel-mode running via the paging file. You absolutely do not need an executable to get kernel mode code running. You absolutely do not need a driver image file to sustain a presence in kernel mode. If you have a presence in kernel mode you can easily start introducing different code paths into any process you like.
"Ah, but you can checksum verifications of loaded modules frequently..." When do you do this? Are you absolurely sure that you have those nanoseconds requried to do something horrific to your machine covered? Is your thread that does this still running? Are you dispatch routines still what they should be? While you are busy fixing that what damage has/is being done?
Whitelisting as a complete security solution needs to do a lot, lot more than I unserstand it currently does. I am no expert in whitelisting, but to my mind there is a serious amount of extra work to do.
Now, if there was a whitelist that guaranteed the known good software has no exploits too, then I would be happier. However, software with no exploits is as rare as rocking horse poo. And here is my favourite response I got from a pro-whitelisting guy (not a quote) "so, if an exploit is found in a binary, it can be removed from the list...problem solved!" Ummm, this sounds like a window where millions of machines can be totally boned and not actually that different to waiting for an AV vendor to release a signature/definition/heuristic update.
Ultimately, software can be subverted. Having a bunch of device drivers (or any other module for that matter) loaded on my machine with data sets on which decsisions are made reminds me somewhat of AV anyway.
Biting the hand that feeds IT
