Even if your ingenious solution were more work than upgrading WordPress once, it’s not more work than upgrading WordPress with each new release, and doing so until the end of time. This summer alone there have been four security releases of WordPress.
A useful feature would be a command-line utility to put WordPress in read-only mode. Although it probably couldn’t protect against all cross-site scripting vulnerabilities (some of which could conceivably appear in PHP itself), there should at least be a way to protect WordPress from corrupting its own files and database.