As with all security mitigations it does something, it’s significantly more difficult to get kernel level malware installed now than in the Win95 days, but it’s not a cast iron guarantee nothing bad will ever happen again.

Signing is a useful measure. But not by itself. There are several harder admissions to be made.

The security business is very lucrative ambulance-chasing. A business-grade OS needs high-confidence evaluation and design.

mWindows cannot be safe while being all things to all users, with backward-compatability extending three decades. It may be time to split the product into more than just artificial marketing tiers.

Rewrite the OS in a safer language. I won't pick one, but Microsoft is large and sufficiently profitable to know what to do and how to do it. mWindows 11 should not just be a change of curtains and doilies.

I think it doesn't stop malware completely, that's impossible, but if you look at the Apple ecosystem you can see that it does help, a lot.

It barely helps at all (almost all your apps are pulling in telemtry/auth libraries from data brokers regardless of the permissions you give them) and the cost (no more personal computing.) is incredible.

It's a significant hurdle, especially if getting something signed requires some kind of certification process and company identity verification.

It also ensures that the OS vendor has a copy of the binary (although it will only be the first stage, I assume). Without signing, attackers can push malware onto one machine without anyone else getting a copy.