I think hardware solutions like secure compute modules can help. They keys are in the chip and you aren't going to steal them without decapping the chip or some high resolution Xray. A lot more time is spent on getting hardware right so hopefully you could trust it better. Your software talks to hardware and asks it to do the crypto for it but there are downsides too... cant update it so you better have a good algorithm to start with and you cant copy keys so you better have some strategy of updating which devices are allowed to sign