Malware is a fact of life. To lock down a system in such a way that there is no possibility of malware making its way onboard you would have to unplug all external connections, melt it down into slag and then dump the molten lump into the Marianas Trench.

If a user can make any changes to the system, it can be infected. If the system can't be infected it also can't be used.