These are not all really security practices. Just having XCode (Apple's IDE) installed (something every single MacOSX developer will do) was enough to avoid Flashback. But this is not because the tools added any security at all; instead this was the virus being "smart" and staying away of any machine that had the tools that would more likely expose its own existence.
Basically "this guy MAY be smart, let me get out of here." And it worked; the virus was spotted 2 months late by someone in Russia monitoring botnets, not by anyone from a Mac.
At the end of the day, despite the gargantuan security hole (and it was huge) the virus only infected 1% of active Macs. No anti-virus was able to detect the thing. I dare bet this has more to do with the virus avoiding coders. Had it gone free-for-all, it may had been discovered earlier but it also likely had affected up to 10% of the macs out there.
The only actual security measure anyone would had been able to do to avoid something like this would had been to disable Java entirely, something few Mac users do. On the other hand, OSX does not come with Java. On the other other hand, it will happily download it from Apple (not Sun) the first time the browser meets a Java applet.
What to get out of this? Apple fucked up, and third party code execution environments are huge security holes.