Palladium's design lends itself to meet Schneier's prerequisite for a "good" system.  But it is up to the Palladium companies--the entertainment compaines and software companies that will make certificates to ensure authorization--to take advantage of Palladium's design to keep the system ductile.      

   It would be best to explain this by taking a look at a specific example and then generalizing it.

    Entertainment companies and software companies have three options when they use Palladium to ensure that the consumer is using their data appropriately.  They can either 1) have the same certificate for all of its applications or 2) have different certificates for every different application or 3) have different certificates for each different type of application.    
For example, say that you want to listen to an audio file of your favorite band.  Palladium will check to see that you have rights to that audio file (ie, checks to see that you possess a certificate from Virgin Records).  Let's propose that you are able to hack that certificate and possess a "fake certificate" that is able to fool Palladium into thinking you have authorization to listen to Virgin content.        
Depending on how Virgin Records implemented its certificates, you can have three different consequences of this failure:      
1)  You now have full access to all Virgin services (all songs, movies, etc).  This would occur if Virgin uses the same certificate for all its applications. (Obviously not smart).      
2)  You have access to just that one audio file.  This would occur if Virgin has a different certificate for each individual application. (Way too many certificates to implement)      
3)  You have access to all audio files or all audio files of that band. (Keeps the fault localized and this is the most probable implementation)

       
Now if we take a step back and look at the bigger picture--how Virgin relates to other applications such as Word documents, Disney, Interscope, Warner Bros--we see that a hack into Virgin does not affect these other companies.   In other words, hacking into Virgin's authorization module will not allow you to alter the security of Word documents or Disney movies.  

    In a second example, Palladium offers a multi-teared security system--if you break one device (such as falsely authorizing a sound card at boot-time)--you don't have unfettered access to all subsequenct applications that use that device.  In the case of the sound card, the media player still needs to be authenticated and the audio files need to be authenticated as well.  Thus, lower levels can fail but the entire security system above it does not collapse.

    Both of these examples illustrate that Palladium is a "good" system, because it can fail at many points, but not ruin the entire security scheme.

This post was an excellent post in showing Palladium in the context of Schneier's metric of failing well. He did a good job of showing how the certificates (Virgin Records example) would be compartementalized, meaning that there wouldn't be one omnipotent certificate that if hacked will give access to all things.  The compartementalizing was again shown well with the example with the case of the sound card.  To sum his point up in one sentence Palladium fails well becuase if one compnent fails, it does not affect the others greatly (i.e. bringing them to a halt).