Another thing is that actions malware take and actions legitimate "power user" software takes are separated only by context. Thus automated behavior analysis is always going to produce false positives.
Yep. Malware is constantly repacked/encrypted. It is impractical/impossible to write static unpacking engines for every type of malware packing technique, so behavioral analysis engine is a must (btw, behavioral engines still detect malware using signatures).