theory and practice
In theory, theory and practice are the same. In practice, they are not: Albert Einstein.
Application whitelisting may work in strict government networks where no one cares if there is downtime and no one is responsible for saving the pennies. Business though? No chance.
Surely it is more business friendly to conduct 'continuous application risk assessment', where all running executables are assessed for their 'normalness' (i.e. what, only one machine has this running?), risk indicators (small file, new, no signature, encrypted - oh dear), and behaviour (a new file, never seen before, and now trying to scan internal IPs - really?).
Hey let's call it Continuous Application Cyber Threat Intelligence (CACTI), seeing as it's a prickly area.