I think this legacy is a burden in all mainstream operating systems? There are capability-based system, but none of them have any traction.

I am not sure what the solution is. Trying to bolt on security still seems better than doing nothing at all, where an application vulnerability immediately means a compromise of the a full user account?