It could be the scope is smaller than a walled garden
The article wasn't given all the information by MS, but from what I can read, this *isn't* for "all Windows applications that want to run on Windows 10." It's for only the parts that want kernel-like access. MS are proposing that anything with deep permissions be signed by them and gate-keepered by this Device Guard. But any application that only needs work-a-day access - i.e. doesn't need to change the kernel - will be fine as normal.
The extra protection being offered is to the kernel and low-level drivers only. And for an average user, the only applications that will want to make changes to such low level code are a) anti-malware software trying to hook into the OS at the most fundamental level possible, and b) malware trying to do the same. The theory here is that option (a) can get signed by MS and allowed through by the Device Guard - option (b) will be stopped before being able to root you.
Biting the hand that feeds IT
