Everything can be a program, if the OS is a PoS
These "programs" of which you speak, and the whitelists in which you place your faith: how does (e.g.) a cross site scripting attack get blocked by your approach?
How does it stop a scripting/macro attack in general; y'know, Word/Excel macros etc in an environment where "macros have to be allowed or we can't run the business"?
"A safe mode that damn well works and isn't just a cut-down version of the exact same OS with the same system paths, programs isntalled, etc"
How about an OS that knows how to work right when booted off trusted read-only media (and a return to media which can be swapped between read/write and read-only. In hardware.)