Report Offensive Message

Why not lockdown the hardrives of servers so that only the baseline inventoried programs can execute? Look, we know malware is going to get thru so why not just prevent if from running when it does?
Building moats and perimeter defences didnt always work in the middle ages either.
Educating users? Not realistic or cost effective in our environement.
Make vendors write bug-free code? - Hello! this has been a problem since forever and simply isnt going to happen. Why? because its impossible to do for any non-trivial program.

Enumerating the goodness and preventing anything else from executing is the best approach I've heard of.