That's not really what "security theater" means. Security theater refers to highly visible actions that make it seem like enhanced security, but ultimately have no effect. Think: the ticking agent asking you if you are bringing bombs onto the plane in your luggage.
The Apple review process, draconian as it may be, almost certainly has a real, strong effect in actually preventing malware.
"Think: the ticking agent asking you if you are bringing bombs onto the plane in your luggage."
Actually average people would probably know enough to think "someone could just lie when asked - that doesn't provide protection".
To me "security theater" is doing things that seem to appear to lock something down in the eyes of an average uninformed person. Average is not Bruce Schneier or an 8 year old. It's a typical traveler who believes they are secure because they see checkpoints, have to take their shoes off, and have to have their laptop scanned.
Security theatre is also putting all your faith in some security authority who claim that it must be safe because they are the security authority - but you aren't allowed to look under the hood.
It's exactly like the TSA having magic terrorist detectors - but you can't be told how they work because of security
What if there is a hack/mistake/bug in the appstore ?
The de Cartes-style demon argument is generally a weak fallback. The end game of this argument is that you can't trust anything because you can't fully trust anything.
The reality of the situation is that the app store is most definitely more secure than Windows's distribution model because it normalizes the vehicle for software delivery. Security is scrutinized and narrowed down to one place. Users become less trusting of software coming from 3rd party sources (detrimental in some cases, to a more free and open platform), but added security is definitely gained as part of the tradeoff here.
Yes the app store limits improves security - compared to randomly clicked email attachments in windows.
But as the recent flame worm, signed by a microsoft trusted certificate (http://isc.sans.edu/diary.html?storyid=13366) shows central security systems aren't automatically foolproof - and if you are prevented from having any sort of local control or anti-virus by that same central security system, you can be up a certain creek with a certain paddle
shows central security systems aren't automatically foolproof
That was never contested by anybody. What the flame worm showed was that there needs to be stronger security around private key portions of signing certificates.
any sort of local control or anti-virus by that same central security system
Funny how that works. Anti-viral software is a central security system that uses similar distribution and signing techniques as the app store! Not to mention, anti-viral software doesn't protect you from zero-day exploits, unpatched software, and brand new malware that tends to be the thing that causes the most problem. Not to mention metamorphic and polymorphic malware, which is getting more and more common and runs circles around modern AV software.
What if there is a hack/mistake/bug in the appstore ?
There's no need to worry about security because the app store guarrantees that.