There are an infinite number of strings containing a specific pattern. A computer can't know all strings that contain that pattern, but it can analyze any pattern to see whether it contains that string.
And yes, a computer CAN evaluate code without executing it. It could just execute it in a VM, simulating itself. Derp!
It is not impossible to build a secure system. You define secure behavior, and you build a system that implements it. Many digital and real-world systems are secure.
They are limited in what they do because of your definition of secure, but those limitations are desired. Saying the systems are then useless is simply retarded.
There will always be a method of attack that the computer cannot detect simply based on the fact that it's looking for malicious code (What if the authorized user is malicious. How is the computer supposed to distinguish that?).
So. Fucking. Retarded. You're asking the computer to be omniscient. A computer is a machine. You build authorization and security into it because you don't trust the user, not because you don't trust the machine. It will carry out it's security analysis and either do something or not do something based on the result of that analysis. This behavior is defined by the user, and is by definition desired. A user puts the security checks in place to protect himself from himself. The user is the grand authority on whether or not the system should do something.
Either you make the computer so weak that it cannot possibly run something malicious (and thereby making it all but useless), or you encumber the UI to the point that it requires the user to confirm everything (it's typically a combination of them).
Way to present a false choice.
Man, you're retarded, and the people who wrote that drivel that you've bought into are equally retarded.