I think that this really highlights the weakest point in any security system is the human.
Nearly all infections of end-client systems today use large factors of social engineering, and there is no simple answer to this problem.
The inherent issue is trust. You HAVE to have a degree of trust in everyday use of a computer system. Just like every day, you trust that when you swing your legs out of bed, gravity will allow you to stand on the floor, every day, you click on My Computer (or the equivalent) and trust that it will list your files, and not format your entire hard disk.
But you don't KNOW that. You don't perform tests every morning to ensure that gravitational pull between the earth and your body is still functional, just like you don't parse the binary code through a hex editor every time you open your documents window, and for good reason.
That's because in those two scenarios, it's pretty much 100% certain this will happen as expected, but then we venture into the grey areas.
Say, you've got an old wooden ladder. You've had it years. It's a bit green with moss, but feels sturdy. How long though, before a rung snaps while you're climbing it? When is the point that you stop trusting it?
We face the same conundrum with software on the internet. How do you KNOW that the next Adobe Flash update hasn't been compromised? Where do you draw the line? Just how dodgy does a website have to look before the risk outweighs that useful looking free app? Once you've downloaded and authorised it to install, you've got absolutely no idea what that code is actually doing, no matter what platform.
Process monitoring might have worked in the nineties, but today, software packages are so vast that it's trivial to hide a few discreet actions amongst the flurry of of multi-processed shenanigans. And I'm not talking bloatware, either. Modern software has to cope with networked, multi-platformed, virtualised environments as par for the course.
Microsoft implemented the UAC, which flashes up an alert when a program attempts to do something with elevated privileges, but once you grant he installer permission, you've got no idea what it's actually doing. You can argue for more layered permissions (and on domain machines we can implement them), but in practice there is so much software out there that legitimately needs to modify drivers, for example, you'd just end up blindly clicking more UACs.
I thought Android had the solution when they implemented a permission list at the point of install, but in practice, it's just needlessly scary, and doesn't really help.
"Woah, this gourmet app needs access to internet, my phone, my GPS, and storage!"
Yeah, that's only so it can download the restaurants menus, show you how far away they are, allow you to phone them, and cache details.
There's nothing to stop it using those permissions to say, upload my constant location to the NSA while scanning my photos for nudes and posting them to a Mexican gay porn site, and I'd be none the wiser.
I just have to trust that it's doing what I expect it to, and that trust is based upon my own experience and knowledge, which is considerably higher than the average Joe.
Further improvement has been made now the access permissions are granted dynamically, but Joe really doesn't gain much more control or awareness.
While it still lists the permissions the app needs at the point of install, the actual access isn't granted until the app tries to use that permission for the first time. This adds a little more oversight to the user, giving you a slightly murky view into what's actually happening under the bonnet, but again, it's limited, and it relies on the user having an instinct based on experience for what could be dodgy behaviour.
And there's nothing to stop a coder creating a trojan that legitimately DOES need the permissions it requests, and DOES use them, while also uploading your dick-pics to dirtyamigos.com. An app like that could remain undetected for a very long time. The Flash Keyboard app was only flagged because somebody asked "hey, why does a simple keyboard app need all of those permissions?"
Then of course, you have heuristic malware scanners. These are basically anti-virus programs that look for dodgy behaviour, rather than a direct mug-shot of a know virus, but this technology has been around for decades, and has never caught on because it's AI is not much better than the average joe, flagging more false alerts than real threats, and often causing users to break software because of panicky false flags.
Maybe heuristics will improve, but looking at the progress of the last decade I don't see it becoming our saviour any time soon.