Verifying the on-disk copy allows one to cold boot into a known good state, without re-imaging their machine from read-only media, at least until the point where arbitrary, user-supplied code can be run, then you are boned again. You can also safely update the trusted base even on a compromised system, knowing that it hasn't been modified in transit, closing extant holes. You can't prevent the kernel from having holes though so you have no protections after you exit your trusted base, the best you can do is have some scanning as part of your trusted, verified base and run it early enough to catch known malware. This does nothing for zero-day exploits and new malware though.
This is a problem with no easy answers and might not even be a solvable problem given the complexity needed for modern systems. Have you ever read Verner Vinge "Deepness in the Sky"?