Re: systems that are no longer "secure" but "immune."
>All. Software. Contains. Bugs.
Yes, but that's a cop-out.
The major problem is that a modern OS is huge and the attack surface is massive. We need a redesign which minimises the attack surface. User-id based rights don't cut it. We need to be able to restrict rights at run-time in a reasonable manner. Things like EMET and capabilities are a good start but not anywhere close to having the required user-friendliness. We need to be able to clamp down on access to the directory tree, raw network stack, localhost-based web proxy, and config system. Those rights need to be defined during installation and managed by an admin system, not from inside the application - no self-updaters.
My internet browser and its sub-processes needs access to the GUI, these particular libraries, its disk cache and its download directory. It needs read-access to part of the registry and it needs r/w to where it stores user preferences (a config file or registry subtree). It does not need access to my whole user directory, screen-saver binaries and preference settings.
I may even need to define a second less secure browser config for intranet work. Maybe that one allows Java but won't connect to any non-rfc1918 addresses. It still does not need access to my whole user directory, screen-saver binaries and preference settings. Some of these things are in EMET and the host firewall settings on Windows, but they need to be brought together and made mainstream, integrating them into the application installer.
We need to kill extension-based interpreter selection and stop hiding "file types." Applications should not be able to overwrite files on their own -they should use an OS-mediated file-save dialogue. OS dialogues should be triggered if they try over-writing files for a mime-type they did not register during installation. Non-installed binaries get r/w to an auto-created subdirectory only.
Maybe I've got some of these details wrong, but this is the kind of OS redesign we need. Even Android and IOS at least attempt fine-grained controls.