I am reading this post as a one level progress from your early stance - and it seems you are acknowledging that if the whitelisting process is enabled for the binary, then you have solved one set of problem, although the issue of unofficial binaries, and of users unwilling to do the signature check remains.
The thought experiment wasn't as hard to do, so wonder why you had to be forced to respond to it after repeated pointed messages. (Although one may argue, that you have still refused to explicitly acknowledge it despite repeated attempts to focus your attention on the ONE aspect being asked about, but then one must give some benefit of doubt).
As to the points you mentioned:
1 - Circada & such target individuals using Portable versions, i.e. "Extracted" packages.
Kindly read up on the definition and explanation of Strawman argument before talking about patched/modified/unofficial/hacked/portable VLC apps.
EVERYONE knows that using apps from unofficial places carry various forms of risks. Give some credit to users that they are intelligent enough to know that. If you still have doubts, there should be an attempt to educate people instead of Nero-ish washing off of hands.
Also, it is extremely dubious of you to claim that these state/non-state actors have TARGETED Portable versions, and by corollary making the false implication that the official installation is never at risk and hence never targeted, where the truth is that a state sponsored hacker could have very well placed a malicious file inside an official installation WITHOUT modifying ANY other file from the OFFICIAL Installation and the user would never know in the current scheme of things. Please do not try such diversionary tactics at least on your own official forum where it will paint the organisation in a bad light on record.
Had this been true, you would have ensured that the examples that claimed otherwise like the BleepingComputer link were forced to send out a retraction. Fact is, you know it is true, as that is how the binary is currently coded and side-loads anything that a non-state/state sponsored actor might have placed in the folder.
2 - Supposing this is installer repackaged, you're expecting from a user *which accepts to install any crap from random people* to check signatures ??
At least then we have a way of telling people to check if they have a compromised binary or if they have a binary which is protected from side-loading any malicious DLLs. How it gets implemented in the long term by people, defender apps, policies, processes is a secondary discussion, but if there is such an easy mechanism available, one can at least make a pitch that the official binary from the official site cannot load unauthorized / non-whitelisted and potentially malicious DLLs. Given that, one can then make a case that the official site should not be banned because it is aiding in the solution to the problem, preventing people from having to resort to downloading --politically incorrect term-- from unofficial sources. AS OF NOW, as things stand, users do not even have an option of checking the VLC binary signature and taking a call if they can trust the installation, or should they just reduce some (of the admittedly many) failure points and just nuke the installation.
You may kindly stop the whataboutery about 'social engineering', brain-fade, suicidal and maniacal behaviour - all of that and more can happen in the world, but all global problems, or even the problems in your own city and street need not be solved before you do some spring cleaning inside your own house.
If you want your problem to be solved :