So, most of that post was illegible anti-MS "I imagine everyone who disagrees with me is a fanboy" twisted worldview shit and is largely unreadable. I don't particularly agree with MS's Secure Boot approach, and you manage to point out why in the one coherent sentence at the beginning:
As distinct from the complex web of trust described above where all it takes is yet another leaked key to break into it and render all that TPM stuff irrelevant
Preshipping kernel-signing keys in TPMs and making it tricky to modify the trusted-signing-key list is a dangerous approach they've taken, for this reason. The benefit is that they can get people to actually use it. You can't get many people to use any feature that requires actual configuration. But key revocation is nearly impossible to get right in userland, so there's no way it'll work in a TPM -- a compromised signing key has carte blanche.
Incidentally, as far as I know, the TPM Secure Boot implementation doesn't use web-of-trust, it uses a typical PKI hierarchy.
Somebody clicking on a link in an Outlook message is all it takes to open up Internet Explorer to run whatever it finds in an "asp" script on a hacked MS webserver and next thing you've got files on network shares encrypted and some criminal demanding money - all before the MS or any other antivirus gets a chance to block it.
Secure Boot doesn't do anything to address user-space exploitation. It's not supposed to. That's a more serious problem for most users, yes, but different solutions are for different problems.
Incidentally, with a non-compromised kernel, an antivirus can, if it wants to, block anything before it executes. They hook system calls. They strictly get to operate before any change to the system occurs. In practice, this is often not done (which is why they're not very good), because characterizing "evil behavior" is hard, hooking all system calls is expensive, and people uninstall things that slow down their machine.
You can even, if you want, enforce that every executable memory page on your entire system have a SHA-2 hash that matches the hash for a page from the corresponding signed binary, so that you have no tampered executable memory pages on your whole system. The kernel will gladly do that if you implement it. You can even whitelist individual binaries (by hash+signature, no less), so that untrusted-but-signed binaries can't run either. It's been implemented on a Linux system, years ago. This approach does ruin Javascript, since it's JIT-compiled, but that's probably for the best.