It would also help if we got OSes that do not give applications blanket rights to read and write everywhere and use as much processing power as it likes. Abandoning the shared security model would help a lot.
I'm having a hard time coming up with an example of a critically important vulnerability that relied on permissions models. Arbitrary code execution is usually game-over no matter what privilege level you have.
The exception to this is sandboxing, which is effective (but unreliable) in limited, specific scenarios but not at all effective for the general problem of controlling real, full-featured user programs. Compare the Chrome content sandboxes to the Apple application sandbox.
