I get what you're saying, but OS vendors could prevent themselves from running arbitrary code, even from themselves, without the user's authorization if they really wanted to. I'm not sure it is in anyone's best interest since it would affect everything from security updates to automatically installing device drivers (e.g. people would be left with insecure systems or would claim Windows is broken since most would not understand the prompts). It would also be difficult to prevent Microsoft's marketing department from sneaking a trojan horse into things like security update.

The average user is not able to understand the code that is running and the 99th percentile user does not want to spend the time to understand the code.

Make it do the security stuff out-of-the-box, allow the user to change ANYTHING they want, including turning off the security stuff. Linux! It's in everyone's best interest.