Re:Fundamental design problem (Score 1)

They need to stop making blacklists and whitelists of what controls are safe, and instead, make it so that no controls are safe.

This seems to me a place where rather than using the blacklist/whitelist method, something akin to Privilege Separation like OpenBSD uses in several places (most notably in OpenSSH) might be in order. Yes, this requires quite a bit of additional coding to do, and it's not completely analogous, sure, but it's more the concept of the separation of permissions instead of generally exposing the controls/functions and trying to control access through methods that are proving themselves to be less-than-robust.

Nothing is going to provide perfect insurance against the unexpected, but it does seem to be a fairly solid method for mitigating risk.