The alternative is to shutdown/block the attack vectors. No matter how many are created daily, there are a limited number of attack vectors they all use.
Of course, you have to be able to give up all the "sparklies" (no java, no javascript, no activex, no flash, no file associations....) to do that. It is always a tradeoff.