You can actually architect around that. If the filesystem had advanced permissions and the OS didn't require every user to run as an Administrator, you could have administrative applications protected, and each user in their own sandbox, unable to write to other users or the administrative area. The administrative area could then back up documents that could be wiped out by a harmful program, and if there were a problem, restore them on boot.
Of course, that would mean every administrative application would have to be signed by Microsoft, and drivers too for that matter. And there would have to be a way to have lower applications stored to another universally accessible section of the drive, and all applications would have to save preferences and other user changable data to their sections. It's a big change, but it could be done.
Windows has file level security and doesn’t require every user to run as an admin, in fact MS advises users IN the OS to use the security and do their normal usage under low powered accounts. Windows don’t because Windows user don’t want to bother. Windows users are like a world where you just sit down and go, if they want to install apps they want to install apps they don’t want to have to login as an admin to install the apps and then log back in as a normal user to use them. There’s absolutely nothing about Windows that forces them to run as admins, they just do it. And really even if they weren’t running as admins they’d still find ways to hose the machine, they’d just login as a different account to do it.
Windows NTFS does have such advanced permissions.
However, there is always a trade-off between usability and functionality.
If a user can change or delete files, so can a trojan program operating as that user.
You can set up different accounts that have permissions to do different tasks or access different files. However, each account can always mess up what it has access to, and while they may not be able to make the OS unusable, they can delete or corrupt their user files, which for most people is what they value most on the machine.
It's much easier to protect system files or keep one user from destroying the files of another user. On a server that is much more critical than protecting a single user's files. However, on most people's PCs a single user's data is most likely the most important thing on that system, and to be able to create and modify that data, they also need to effectively be able to destroy it.
The administrative area could then back up documents that could be wiped out by a harmful program, and if there were a problem, restore them on boot.
Windows does this with device drivers and other system files, but since most people don't want the hassle of having to have a separate administrator account on their PC, a virus or trojan can still destroy those files, because it is effectively being run as the administrator.
Of course, that would mean every administrative application would have to be signed by Microsoft, and drivers too for that matter.
Microsoft doesn't prevent people from loading unsigned drivers, but they do warn them about unsigned drivers. They keep trying to push both developers and customers towards only using signed drivers and applications, but their user base keeps demanding that they be able to run unsigned drivers and apps. Such security is in Windows. The users just don't want to accept the restrictions using such security places on them.
And there would have to be a way to have lower applications stored to another universally accessible section of the drive, and all applications would have to save preferences and other user changable data to their sections. It's a big change, but it could be done.
It's already in there and has been in there for quite some time now. Some of the features didn't start maturing until about Windows 2000, and have been improved upon since then, but a lot of what you are suggesting has always been part of the Windows NT line, and I don't think any of it wasn't at least mostly there at least by Windows 2000.