>> They can't win.
Sure they can but it might mean they have to end backwards compatability to do it, which would be fine if they were serious about security afterwards.
End doing shit like having a registry and allowing apps to create files everywhere in the OS, and having things such as USB keys ever being able to auto-execute. Get rid of useless crap like UAC that just gives the illusion of security by being annoying to users, and instead use a better (I'd suggest linux-like) security model and package management system that prevents user apps ever being able to install themselves as a part of the OS or mess with the OS's configuration at all. Get rid of any apps such as office that by accident or design execute data files on loading. Get rid of hidden directories like ApplicationData. Stop using UUIDs everywhere, and stop running things using proxy parent tasks such as svchost as both obscure what is really going on.
For end-users the best and quickest answer is to do as anyone with a clue has been doing for years: Drop windows and upgrade to Linux.