Othervise, it would have been nice to allow only certain binaries or software developers/publishers to run. It would also be nice to sign the binaries
and not allow changes.
That would be less help than you might expect (although OS X does do exactly this by default now). Remember all those Word macro viruses of a few years ago? Totally unaffected: it's a genuine copy of MS Word that's running, it's just doing something it really, really shouldn't be. Likewise any browser exploit. Trojans have always relied on the user to execute - and in general, they will execute them, whatever dire warnings you may put in place, unless you can give them a totally locked down system (which, even in a strict corporate setting, is often politically impossible). In a University setting, I've had very senior academics call me up with "I can't open this CampusLife.pdf.exe file someone sent me ... and it won't open on my secretary's PC either." Of course it was malware - but any computer restrictions to prevent that would probably have resulted in unemployment rather than a more secure PC. Telling people at the top of the food chain "you aren't allowed to do that" just won't work. (Fortunately, opening that particular worm did nothing anyway - it either relied on Outlook, or having outbound port 25 open, neither of which applied at that time.)
Ultimately, for anything more than the most limited functionality, you will have security holes - just like you will get hard drives and power supplies failing, keyboards and mice getting choked up with gunk. Reduce the risks where it makes sense (RAID and redundant PSUs for servers, good patch management, sensible firewall settings) and then deal with things that go wrong effectively when it does happen (spares, backups, etc).
Like real life, take sensible security precautions - but going too far can do as much harm as having poor security. Do you drive everywhere in an armored vehicle with armed escorts? Unless you're POTUS or equivalent, that would just be silly - I seem to recall there have been cases of people dying after getting trapped in "panic rooms" after false alarms, because medical help couldn't get to them in time! So, don't be the computer equivalent: blocking attachments entirely is secure, but is it useful?