@cynicalsecurity thanks for the detailed answer! As I understand moving to "thin clients" would make security management simpler as there are only a few systems to secure instead of a fleet of machines with weird states and requirements. What is not clear is how would this solve the more abstract issue of users accidentally running malware that inherits all their privs (either on their laptop or on the "mainframe").
App whitelisting and sandboxing (mobile apps, Win S) seem to point in the right direction, but I'd be interested in your take, esp. about if/how the proposed distributed model would help with this.