How would serving everything through SSL and "enforcing" workstation locks on people mitigate XSS and CSRF attack vectors? Requiring additional privilege elevation drastically reduces this.
Those are already solved by using CSRF tokens and escaping all the things. Still no reason to bother users with additional password prompts, which come with a number of risks of their own, not least of all causing users to use weaker or shared passwords because they have to enter them all the bloody time.