[kaba0]

So with some insane amount of reverse engineering you can exploit a vulnerability on a single instance of the target program, which same exploit won’t run on another.

You can, starting from essentially scratch, also create a vulnerability for a separate instance, but it literally stops the spreading of a same malware exploiting multiple computers. How is that not security, and just obscurity? Is this not a valid threat model?

[GauntletWizard]

No, it's not, and it's side effects, making cryptographic verification of your system state and installed programs impossible, make it not even worth discussing.

[kaba0]

Verify the sources’ hash and randomize locally. Even better, distribute some intermediate format which is mostly compiled, but reproducible and locally randomize that.