There's no need. As long as you inspect PKGBUILDs and verify that the changes are all right, you can keep updating.
> We could put aur read only, so we can remove all malware and figure solutions before new one arrives.
That's a too harsh. I agree that the situation should be handled somewhat, but it can take weeks to come up with something and implement it.
