The recent Apple XCode Ghost fiasco speaks to a lapse in the security chain, which is the key point: all security mechanisms are as weak as the weakest link in the chain. To wit, if the front door is barred and locked, crawl in through the unlocked window. This failure in in part an Apple process failure, though MPG has no particular answer as to how Apple can fix this sort of problem.
This quote from Validating Your Version of Xcode (for developers with XCode) hits the nail on the head, and not just for developers: it is a huge risk to download any software from anywhere other than the entity that develops/sells it.
We recently removed apps from the App Store that were built with a counterfeit version of Xcode which had the potential to cause harm to customers. You should always download Xcode directly from the Mac App Store, or from the Apple Developer website, and leave Gatekeeper enabled on all your systems to protect against tampered software.
To verify the identity of your copy of Xcode run the following command in Terminal on a system with Gatekeeper enabled:
spctl --assess --verbose /Applications/Xcode.app
... Any result other than ‘accepted’ or any source other than ‘Mac App Store’, ‘Apple System’ or ‘Apple’ indicates that the application signature is not valid for Xcode. You should download a clean copy of Xcode and recompile your apps before submitting them for review.