Joe six pack is doomed anyway. Security always relies on a relatively small vanguard of hyper vigilant researchers. Not everyone checks file hashes, but some do. Not everyone checks a cert chain, but some do. Not everyone audits code, but some do.
Then they give the vulnerability a whimsical name and logo, and Joe six pack reads about it in the Murdoch press, from his malware infested PC/phone.
This is how it must be.