As for securing the payload better, there may have been limitations that prevented them from using more sophisticated techniques, such as encrypting it with a key derived from extensive and precise configuration data on the targeted machines so that only those machines could unlock it.
When I first read in this book about the encryption layers, I thought/assumes that it would use data/confit from the target configuration as the encryption key as well. Maybe they feared they didn’t know the target systems accurately enough to depend on that (and maybe why they wanted the config data sent to the c&c servers?), but the footnote points out that a later version of stuxnet DID use config data as the key and thus hasn’t been decrypted (openly at least).
