Well thats it in a nutshell. Windows has all the security it needs built in already...it's just that it's all switched off by default.
You may as well not bother if 99% never switch it on. This is what happens when you start off with lax procedures all those years ago.
MS needs to start pushing better practices. Say in Windows 9 your default user account isn't automatically a full admin account, maybe add in a learning EMET system that tests every new bit of software and lets the user decide or prompts a simple choice.
That kind of thing is far more useful than crap like Secure boot. MS just needs to grow some balls and ride out the media storm of "Microsoft implements far too much security...like all other operating systems if not more so!"