Of course it would, unless you will never attempt to execute a program from the internet, or some other source. At some point, even a Havard architecture system need to copy data to code section if it wants to execute arbitrary programs, and there is no program to detect whether a program is potentially malware - without executing the program itself.
Why would I want my firewall execute arbitrary programs?
As for detecting if a program is malware I would leave that to the antivirus. And yes to check if a program is malware you have to execute it. I assume regular security software does this in a sandbox. In my proposal it the sandbox would be hardware based; If you run the security software in the instruction address-space of the (pure) Harvard architecture and give this software a "slave-processor"* on the data address-space and memory-bus that it can use as a sandbox to check the safety of arbitrary programs before giving the real server/workstation permission to execute them. This using a system like I described four posts above this. And before anyone complains that Firewire/Thunderbolt is too slow there are always PCIe Non-Transparent-Bridges which is actually a product that exists.
Edit:
*By "slave-processor" i refer to a processor that would be practically identical to the processor in the server/workstation except it would not be in control of it self. The main (Harvard) CPU would have the ability to directly override things like the PC and peek into registers and stack. It wold use part of the data-address-space (or even better a separate third address-space) of the Harvard architecture as its single flat-address-space. It would be a "hardware based sandbox" imitating the real server/workstation.
Edit2:
And I see this could be understood as two systems (sorry for being unclear). Just to specify, I would run:
-Firewall on pure Harvard architecture.
-Server/workstation on a single flat address-space system.
-antivirus/security-policies et.al. on a pure Harvard architecture with a "slave-processor sandbox" imitating the server/workstation and direct DMA access to said server/workstation.