Sadly parts of windows have been designed in a insecure manner and are tough to harden.
An example is the rundll wrapper, anything can hide behind this so if you allow it outbound port 80 which some legit apps request for (but I havent granted), then any rogue software using the same wrapper would get the same access, similar story with svchost. The original intention was probably simplification, but simplifying security is not always a good idea.
I was running applocker on win7 ultimate, great built in security tool, for whatever reason microsoft decided its more important to prevent business users using consumer windows (by disabling it) than to secure their home versions of the OS, so as such win 8.1 pro has no working applocker. The substitute is SRP which is no longer maintained and from my experience most definitely inferior, with that said using SRP is for sure better than no SRP or applocker. But its difficult to get it work properly with dll enforcement due to what I think is some bugs.
Alot of problems as well are down to shoddy design by app vendors, I have 2 examples from mainstream software, blizzard's battle.net and google's chrome. Even a security app hitman pro uses the same insecure system which is what?
The system I am talking about where apps will create temporary new executables to run tasks, in all 3 of the above examples they will create new executables for updates, I dont know why they cannot function with a permanent updater, and have to create a new one for each release but they do, in addition hitman pro will generate a new exe in %temp% when you ask it to run a scan. I did report this to the hitman pro dev asking them to make the temp folder they use configurable to fix the security mess, they seemed accepting to the idea but nothing has been done. There is also vendors guilty of having executable code using programdata (which shouldnt be used for that purpose) as well as %userprofile%, you guessed it chrome guilty again, battle.net also uses programdata. This is all important as a good SRP policy is to prevent execution from those locations but because of these issues whitelists have to be generated, made worse by the fact they keep creating new binaries. Also of course a hassle for a firewall config which filters apps allowed to generate internet traffic.
So recommended practices such as whitelisting APPS allowed to use internet, locking down executable folders to read only folders, and also locking down service creation for the same restrictions is made very difficult by these vendors. As well as microsoft not allowing consumers to use AppLocker. A decent Applocker config will beat the vast majority of anything that third party software can do, your system will be practically immune to malware, only vulnerable via human error or a Applocker exploit itself.