The first "viruses" were on Unix, and the usual attempt was to alter commands. To do that, they needed a "secure shell" like SSH or telnet. It is easy to move telnet to "guest" user and disable SSH port and then inhibit remote login to the few that needs it. There is no way you can change essential parts of Linux or MacOS without having to ask for the Admin password from the user, and been provided this. But, it is fully possible to embed a script in a Jpeg picture, that executes in the user's own context.
If the user wants to see picture effects, video (Flash definitely contains a dangerous script language) and rich media, you will need a way to connect the presentation of these to local applications. These must be able to execute scripts, also to verify and authenticate.
Knowing some of the flaws that allows viruses, I don't expect the developers will have to worry much, except that their code will be inspected to verify that it does just what it should and nothing else. The rest is simple. On Linux and MacOS, an application cannot modify another by accident. It cannot debug the kernel, it cannot chage the "rm" command. Should a pointer go way out in the blue, it will be trapped, and cannot "see" the memory of others (beside allocated shared memory).
I believe most hacks originates from Linux today, since they can leave without making a trace. They have seen to that their systems cannot be hacked. So those writing virus scanners today are facing a bleak future.