The problem is that modern systems are so horribly complicated and have a high enough security hole density that I fear that whack-a-mole exploit squashing will never get us to a secure state. Shaming developers only helps to kill exploits in the same way that shaming developers works to eliminate all bugs: it might reduce the density but only to a point, and it doesn't really matter if you have one security hole on your system or six, the bad guys will still get in. And even if the universally-used core of the kernel *does* get all its security bugs squashed, the vast mass of drivers run by only a few people (but which many people run at least one of) will still have holes, as will the vast tower of userspace above it, much of which is run by almost everyone.
So attacking kernel devs for 'covering up' holes is pointless: most security threats are in the layers above it, particularly as most cracks these days are financially-motivated and don't care about getting root so much as spying on you, making you a botnet node, and sending out spam, all of which can be done without root. I don't notice Brad howling about FF even though its security record is much worse than the kernel's of late (but they have a webpage saying which security bugs they fixed! that solves everything! oh wait, it doesn't). You surely can't accuse the kernel devs of *not fixing* security holes when they are pointed out: they just don't make a great song-and-dance about it (it's probably wisest to assume that any bug in something all-powerful like the kernel, or something network-facing like FF, is a potential security hole).
Now kernel bugs *are* dangerous --- it's easier to write a seriously infective worm using a kernel remote root exploit than an FF bug --- but are they worth paying so much more attention to than the higher layers?
Perhaps capabilities would have saved us from the insecurity of modern systems, but it's very non-POSIX and Shapiro has been eaten by Microsoft now so we won't see anything from that until a new caps deity emerges. Certainly any number of paranoid bug-hunters aren't going to solve the problem.
Perhaps writing the higher-level stuff in languages better than C would save us, although that would probably just mean attackers finding some other way to force programs to do unexpected things. That'll happen as long as machines can make choices in response to external input, but we could probably get their density down a long way. Then maybe focusing on the kernel to the exclusion of all else would make sense.
If we must use C, randomly perturbing the ABI on each installed system might help a bit (there's been work on this in the past): but it would be difficult, wouldn't stop all exploits by any means, and would break distribution of binaries.
I have no solutions, but what we're doing now surely isn't going to fix anything. Holding back the tide is very praiseworthy, but in the long run gets you nowhere.