Yes, threat models are useful of course. So is risk analysis by the way, ie.: knowing what has critical value in the system (apart from the security mechanisms themselves).
However, threat models are also the area of arcane black magic, or if you prefer, of a lot of subjectivity.
IMHO, even though the attacker point of view is interesting, many of us fall in the trap of concentrating on this point of view. (The dark side is tempting, remember...?;-)
We need to focus more (possibly much more) on the defensive stance. We need to provide more (objective or subjective) guarantees about the security of our system and if possible about the properties we achieve.
One of our cousin, OpenBSD, as taken such a stance more than a decade ago and that brought them (what I see as) serious advantages in the security field, even against "well-funded" attackers.
The overall difference between OpenBSD and the rest of the family, is that they deliberatly raised their security priority (possibly as much as a differenciation feature as an actual objective but then, why should it matter?). It lead them to put actual guarantees on the table: they have something you can argue upon. We need the same approach: raise the priority and do the actual work (whether it be SELinux or something else).
Btw, a recent exchange of comments on LWN also brough me to a similar exchange with Ingo Molnar, and he rightly pointed out the lack of a useful security metric as a possible technical impediment for progress in this area. He also pointed out that users motivation for security features was not very high. Personnally, I am a "security-guy" (for a living), so of course I am heavily biaised. But my answer to the lack of end-users enthusiasm for security mechanisms is simple: "So what?"
(Endusers will never desire or fund security features; because they only want security gurantees.)