I think realistically state is hard to avoid unless you are using disposable read-only memory.
Example, found through Qubes website:
Seems like she'd have more effect designing hardware.
Qubes' design means hardware and software are all separated so a vulnerability in one doesn't mean exposing another.
I like that in their docs they mention an approach they take and when it isn't secure
That being said the main point of security contention is the admin (dom0).
Between the twilight of Moore's law, and the success of open-source software, I just don't see that much long-term value left in x86+PC.
She is working on hardware but that is not as easy to bring into the wider world.
A: Stinkier without, therefore Qubes.
I'd consider betting on one of those things being solid on its own, but not all of them together.
New Thing solves X and Y but not Z.
Therefore, criticize New Thing for not solving Z.
I run into so many people at local interest groups who do less than advisable things on the computer, yet don't even give a second thought to it because "I'm using Tails!" Or
"I'm using Qubes!"
At the same time, I have friends who do security for the military who show and tell so many different (and simple) ways to exfiltrate data that bypass most of the hypervisor/os/software stack.
This is a better condom. That is an accomplishment, and I tip my hat to them. At the same time, if you really don't want the diseases, it's safest to just stay off tindr.
If you've spent any time with Intel's phone-book-sized opcode manual, or following the history of the PC, you get real skeptical when the words "secure" and "PC" are mentioned together.
Why are you pointing the finger at Qubes for not solving every problem there is? It's doing a much better job than ~every other Linux distro.
In my own space, the approach has typically been to minimize attack surface by using the least amount of the simplest possible hardware we can get away with, then verifying the hell out of it. 8/16-bit micros, RS-232, no BIOS, aggressive shielding, and an extreme approach to the actor model. For things that need more horsepower, super-simple 32-bit micros, a real-time microkernel, and loads of QA. It's not perfect, and we leave a lot of performance on the table, but as far as security-per-man-hour-expended goes, I'd put it up against anything on the PC any day of the week.
nickpsecurity made a very good comment on designs circulating in the assurance/defense sectors: https://news.ycombinator.com/item?id=15571546
The best part of his comment was the quote from Brian Snow:
"The problem is innately difficult because from the beginning (ENIAC, 1944), due to the high cost of components, computers were built to share resources (memory, processors, buses, etc.). If you look for a one-word synopsis of computer design philosophy, it was and is sharing. In the security realm, the one word synopsis is separation: keeping the bad guys away from the good guys' stuff!
So today, making a computer secure requires imposing a "separation paradigm" on top of an architecture built to share. That is tough! Even when partially successful, the residual problem is going to be covert channels (i.e. side channels). We really need to focus on making a secure computer, not on making a computer secure -- the point of view changes your beginning assumptions and requirements."
I agree Qubes (or other similar systems) are imperfect - partly due to software bugs, partly due to hardware vulnerabilities. But the it clearly is an improvement, if only thanks to the compartmentalization. I'm sure there are potential adversaries that have access to BIOS backdoors, Xen 0-days etc. But well ...
Never said "Qubes sucks because it's not perfect." I have argued that the PC is too damn crufty and complicated to ever be "reasonably secure".
If I ever felt as though I had to protect myself from FBI or ex-Mossad, I'd feel safer with an iPad and Signal than a PC running anything, and I say that as someone who doesn't particularly trust or care for Apple. You could also go full-Stallman, but that would probably be fairly error-prone if you didn't know as much about computers as RMS.
FWIW I don't think you've answered the "What to use instead, then?" question. I agree there are platforms that are much tighter on security compared to x86 (say, iphones seem to fare quite well), but I don't see how I could use that for my "regular" work. For that, I think Qubes is "reasonably secure" but hopefully it'll get better.
Of course, if your threat model includes guys from NSA/FBI/Mosad, then perhaps it's not enough. But then again, iphone may not be enough either.
If you need a workstation that is hardened against the big boys, I doubt such a thing exists, and it never will if people keep putting all of their hope in the next band-aid. It is also a damn shame, since it's not like this is a problem that needs two more generations of pure science to solve.
Hell, the B5000 was safer than the things we run today, and people didn't stop having better ideas about computing in 1961.