The only way any OS Windows will ever be even close to secure is if Microsoft quits automatically giving superuser privilege to ALL user accounts by default, and instead make all new installation instances of Windows OS default to having an Admin account with superuser privilege and one or more limited-privilege accounts for the user(s) to do their daily work.
In addition, by default, NO .exe or .dll or other binary program should be executable in the context of any limited-privilege account, meaning that all binary software MUST first be installed from a superuser account for the system to use as a whole. It will also most likely be necessary to prevent even non-binary programs from running in the user-context without explicitly granting them permission.
That would solve about 99.999% of the malware problems and until that is done everything else is just adding additional ineffective security band-aids on top of a whole pile of other, older, ineffective security band-aids.
Furthermore, my experience with those piles of security band-aids is that malware finds a way around them every time, and then those "security" band-aids turn into major impediments for removing the malware. In other words, the security measures don't block the malware, but does block the sys admin efforts.