That's where you're confused, they are watched at the right point, in fact at multiple points.
Are you related to Charles Newman?
Not only IS it practical, it's done by normal practice in many companies, at least the ones that want to be secure. And this doesn't even take into account the Mandatory Security settings that can be pushed out via GP to the workstations for IE.
Again, it's about knowing the threat, not about patching some broken software, if you block the threats it doesn't matter what program is broken.