It wouldn't even be hard to achieve security: (1) sandboxing, (2) permissions system, (3) database of bad app signatures, (4) heuristics based monitoring. Most of this is already in place. There's no excuse except money and power.
That’s a pretty broad statement, and sure, you can get an OS with neither, but broadly speaking modern operating systems that people use do have sandboxing and permissions.