If you can't install software then you can't install malware.
Can you say "Apple Appstore"?
Installing an app from the Apple app store counts as installing software. As far as I am concerned, they should burn the OS into ROM, and have an MMU that physically prevents code execution outside that memory region. If you really want apps, they can run in a Java sandbox, rather than native assembly code, which has access to all the hardware.
The same can be expected from these Motorola locked down phones. Eventually, the malware authors will get hold of the signing keys, or find and exploit to install there code without these keys, and there goes the security.
Let's assume I actually install apps written in native assembly, which I don't. Even then, it is unlikely that the phone would get cracked within its normal lifetime (3 year contract). After all, there are many phones from many vendors, they would require different binaries, presumably signed with different keys. It is not like the game console market, where there are only 2 or 3 high-value targets for a crack.