Comment by cesarb

> Replying to your specific point about virus scans. For some (naive) reason, I expect them to run a single time against a binary app that is never changed.

Playing devil's advocate: the executable might not have changed, but the database of known virus signatures changes daily or more often. Either every single executable would have to be re-scanned every time the database updates, or the executable has to be lazily scanned on load.