This model needs to evolve from “you must sign with Apple” to “you must sign with one of $TRUSTED_LIST”. There should be a (non-trivial) way to set this, and if I decide all software signed by my best friend is OK then I should have that option. Grandmas should be able to trust software from their IT-expert grandsons and so forth.
There is value in requiring all software to be validated by somebody but it’s a slippery slope to have ONE. The main reason is, even if I trust “Apple” now, what is “Apple” in 10 years? (Heck I thought I “trusted” them to always make desirable hardware, got burned on that one.) Things change. I want another signatory.
Mis-issued certs are common enough that Google et al had to force Symantec out of the cert issuing business. It's a model that only works with a monopolistic cartel gatekeeping the ability to issue certs (which is basically Apple's role in this scenario).
There's been issues with code signing but you can't say it's been pointless. It's a significant hoop to jump for malware writers and out of reach for basic script kiddies.
How does what you are proposing increase trust for consumers?
I think that when you look at how things went for the certificate business, you will find this model pretty quickly turns into a pretty scammy breed of companies offering "notary" services without a lot of benefit to consumers. Consumers would have to know which authorities were trustworthy, and since most won't care/know, it results in lower security overall.
Now if the App Store were decentralized, I think things would be a lot different. But Apple already owns things end-to-end, so they may as well be the certificate authority as well.
There is value in requiring all software to be validated by somebody but it’s a slippery slope to have ONE. The main reason is, even if I trust “Apple” now, what is “Apple” in 10 years? (Heck I thought I “trusted” them to always make desirable hardware, got burned on that one.) Things change. I want another signatory.