Code signing can be pretty good at certifying that code hasn't be altered since it was created, but the process of vetting signers and issuing certificates is a complete charade. Certificate authorities all the way up to ultimate trust have been compromised, and day-to-day issuing authorities' "due diligence" consists of little more than cashing your check. Once issued, there's no control over how certificates are stored, used, misused or stolen. On a more fundamental level, we know that code and data are interchangeable. If you allow a signed lisp interpreter to run, every piece of text on your computer is now a program. Many exploits start by breaking the code in some way - buffer overruns put unexpected data in play for example. All the trust in the world is useless if the trusted program has a bug. I'm not saying that code-centered security measures are useless, only that they are always going to be fallible.