1. Yes, an iPhone can be hacked to become a computer, but the default configuration to which your original posting was referring to, is not a personal computer but much closer to a smart terminal since it can't function properly (and by functioning properly I naturally have to include running code) without receiving the approval of a central computer. The point of my counterargument is that while Apple's whitelisting system is working fine on the iPhone, the uses of the iPhone are not as broad as the uses of a personal computer.
2. There is already a security application that acts in the way you propose: Comodo. Now, Comodo is an interesting issue in your argument because it has repeatedly failed in respected antivirus tests such as AV Test, AV Comparatives and even VB100 (which is as close to the defacto standard as it can be). It failed so bad, that it had to be removed by those tests to avoid further embarrassment.
3. Java is not the issue in browsers, since it's not part of the browsers but a plugin instead (which can be forced to work inside a sandbox as Mozilla did for Flash). Javascript is the problem since it's a real programming language that can be used to strech a browser's code to its limits and turn any flaws to possible code execution. I don't think you can whitelist websites from Javascript as well.
Finally, while sandboxing protects the rest of the system it doesn't prevent a hacked application from accessing your data and posting them through the internet.
I'm not invalidating your argument, but I wish to point out that whitelisting may work for some users who use a limited number of applications and even then it won't offer them the complete protection they would hope for. Modern high quality antivirus suites offer superior solutions without restricting the user's choice of applications.