You make two assumptions:
1. denial of service requires compromised hosts 2. good code prevents hosts from being compromised
I agree that without zombies launching a significant DoS is much more difficult, but it can still be done. Also, while many hosts run insecure software, the biggest security vulnerability in most systems is the finger resting on the left mouse button.
Prior to Windows I would have agreed with you. However, with the advent of Windows, I think insecure software has surpassed the user as a source of problems. This is not based on a belief that users have gotten any better, but, rather that software is significantly worse.
Also, waiting for others to clean up their act to be safe isn't usually the most fruitful approach.
This is very true. However, education and encouragement of others to fix their insecure systems is a worth-while endeavor, and, the reality remains that if we could find a way to solve that issue, it would significantly reduce today's DDOS and SPAM environment.
While it can sound a bit theorical (to hope that the "others" will run secure code), as the vast majority of users run OSs from one particular (major) vendor, an amelioration of said family of OSs would certainly benefit to all. Just think about all the recent network havocs caused by worms propagating on one OS platform ...
I'm not all that interested in plugging individual security holes. (Not saying this isn't important, but to the degree this is solvable things are moving in the right direction.) I'm much more interested in shutting up hosts after they've been compromised. This is something we absolutely, positively need to get a handle on.
I think both efforts are necessary and worthy. Owen -- If this message was not signed with gpg key 0FE2AA3D, it's probably a forgery.