"The question begs, however, why ALL Foxconn-signed executables are trusted automatically just because they're signed by Verisign."
Because that's how the whole PKI infrastructure is designed to work. If you have a code-signing certificate, and it's valid because it's not revoked and issued by a valid CA chain, you are trusted by design. Just like every site you access via https is trusted by design if it presents a valid certificate.
The weakest point has always been the private key storage and management (besides checking a certificate status).
Anyway, this shows exactly how "hard work" is needed to write something like Doqu - you need to obtain the keys of a valid certificate, something beyond the reach of the average attacker - before Windows checked for signature of drivers, you can just write a driver and get it installed without any check. It's the final solution? No. It's better then before? Yes.
Linux does as well something alike, packages needs to be signed. Compromise those keys, and you can deliver packages happily installed by the OS without any warning. Moreover, because Linux executables are not signed, there's no way to check them after they are installed.
If you like, you can remove almost all CAs from Windows... quite everything will raise warnings then...