Well it requires a really solid trusted QA team and policy then.
The QA team and policy don't need to be ideal... even just a cursory check to ensure no obvious malware is typically more than sufficient for normal systems.

How hard and how long an unsigned software is usually quarantined? After a software is signed, will it still be monitored?
These answers depend on the requirements of the given environment.

I wonder if there's ever a case that a signed software (by trusted CA) found to be malware at a later time?
This is why things like least priviliege are still useful.

The idea isn't perfect security... the idea is to reduce risk to an acceptable level within a budget. This can be a very efficient method of reducing risk with a minimal budget when compared against other methods giving similar results.

cheers,

catch

Woohoo... only 5 more posts until I retire!