clouds have baked private keys into their public images, so that any user could SSH into any machine
The first capture the flag hacking event hosted by my college's volunteer systems team (which supplemented the IT staff) had this problem. Every system had the same SSH keys, so it was easy to man-in-the-middle your opponents, gain their credentials, then log into their actual systems. One of the teams that discovered this (and won the contest) went on to host the next year's event. (This was not recent.)
You can't whitelist everything you need to, and you can't trust end users to be able to do that all themselves (no matter how many dialogs you pop up). A/V is only capable of doing so much, so users still need educations.
The other option, as this Google engineer proposes, is to lock everything down and only allow vetted programs. This is called Trusted Computing (a.k.a. Treacherous Computing) for software and digital rights management (digital restrictions management) for media. These are very secure (so long as you trust the vetting agency), but they promote too much vendor lock-in and they directly combat Free Software.
Real wealth can only increase. -- R. Buckminster Fuller