Re: only "signed apps" mentality?
The exploit isn't public so this is speculation at best but it sounds to me like the signed/unsigned distinction is a bit of a red herring here. As per the article "[n]ormally, apps, even signed trusted ones, trigger a prompt to appear on screen when touching the operating system's Keychain database"; it sounds to me like he's found a security exploit and, separately, demonstrated that the exploit is present whether your app is signed or unsigned.
I take that to mean: Apple made an implementation mistake somewhere, which is orthogonal to signing. I don't think signing is meant to be Apple's solution to guarding the Keychain.
Also although special rules apply for kernel extensions, I think anybody who pays $99 gets a signing certificate, no questions asked. Signed apps are more heavily sandboxed (e.g. no access to a directory unless the user has used the OS-provided file dialogue to open a file from there) but nevertheless that'd be the worst web of trust ever. Apple seems more interested in having permission they can revoke than in vetting those who want it in the first place — and if it makes some money too, fantastic.