Whitelisting applications would work if this could control what is run on your system. Variously implemented by either looking up a hash (e.g. md5) or signing the code. Unfortunately we can make the following observations which indicate this does not provide total protection:
By Design:
Some applications allow interpreted code (macros, visual basic inside documents, perl/java etc.).
Some applications are inherantly data (excel spreadsheet etc.).
Some applications change their behaviour dependant on libraries and plugins which may not be checked against a whitelist (e.g. activex, greasemonkey).
Some applications self-modify (maybe to try and prevent software theft).
Flaws:
Some applications have flaws that allow code injection (buffer overflows etc.).
Some features can be used for inappropriate purposes (updater that can be fooled into downloading the wrong files).
Sometimes signing keys are reverse engineered or leaked, allowing malware to be whitelisted.
List or key management requires ongoing maintenance and if it goes wrong can mount a denial of service attack on your customers.
Lack of omniscience:
Some people can use a secure application in a secure OS and still do something insecure (phishing etc.).
As new attacks are found, old protections become ineffective.
There is a chance that malware could be whitelisted.
You have to update your whitelist for every update by every vendor.
It is really really hard to be sure that the application does what you are told it does - either deliberately to produce trojan horses or accidentally (see above).
Each user may require a different whitelist as they have different requirements - some may wish to run p2p data sharing wheras others may regard this as a huge security risk.
Lack of omnipotence:
Some flaws are not in the applications - they may be in a hypervisor, loaded onto network cards, on routers, hosted remotely.
IMHO whitelisting requires reducing the functionality of applications (e.g. no java) and adds hoops/costs to professional developers and upsets users but unfortunately malware writers will focus on the easiest route using what they can get. c.f. http://www.securecomputing.net.au/News/161167,analysis-iphone-malware-evolution-on-overdrive.aspx