I will happily eat those words if I'm ever compromised by something that AV could've stopped. People overlook that last part: the range of things that AV can stop is limited, and AV is virtually useless against exploits of software flaws that result in RCE and EoP.
So far, my track record is pristine--two decades without compromise of any sort on any computer that I personally manage (okay, there was one time a decade ago when I accidentally executed an adware installer that I was disassembling on a test computer--but I knew I what I was messing with, it was easy to clean up, and I've since been more careful when I do stuff like that, like using VMs for that kind of thing).
AV doesn't give any more of a false sense of security than pretending you're bulletproof because you're "too smart for viruses."
Who said I'm pretending?
Anyway, I'm not "bulletproof"--an insanely good unpatched 0day RCE could get me. But those things are really rare, and most importantly, the kind of stuff that can get me is also the kind of stuff that AV wouldn't have a prayer of stopping.
Whereas AV definitely gives a very dangerous false sense of security. I do cleanup for family, friends, and friends of family/friends. Unlike my computers, their computers all have AV. Yet they're the ones being compromised, not me. And the kinds of questions that I get are along the lines of "Why didn't the AV stop it?" or "What would you recommend as a better AV?"
Modern security threats are predominantly problems of social engineering and exploiting gullibility. It's fundamentally a human problem, not a technical one.
AV is just one part of an overall layered security plan. It's not meant to catch every threat, and it never will. AV is there to *hopefully* catch that one off zero day attack laced into a compromised advertisement on a legitimate website via heuristics, as well as act as a safety net against older well known threats that are kicking around hoping to infect people who don't run security updates or install new versions of software. It's not a substitute for smart browsing habits.
Even "hopefully" is way too optimistic. Once in a blue moon after double rainbows and oodles of luck is more accurate.
It's cost-vs-benefit. The cost is tremendous. Even with light AVs like Defender/MSE, disabling it results in very noticeable performance gains. In one extreme case, I have a large suite of utilities that I install on all the systems that I manage using a custom installer that I wrote. On my parents' desktop (which has MSE), it took almost a minute to install, with one core of the CPU completely pegged. On my netbook, despite having a slower CPU and slower drive, it took a few seconds.
It's worse on low-end systems: I had an Atomic nettop that I used a few years ago as a server. It was really nice and responsive because I kept it lean and AV-free. I later replaced it with a Sandy Bridge server, so I sold the nettop on eBay. Before I did that, I wiped and reinstalled the system and put in MSE. The thing was intolerably slow afterwards--a night-and-day difference from how it performed back when it had no MSE.
And there's the cost of false positives. Remember that time when installations of Excel were hosed by AV? Or the many pieces of legitimate software that get flagged as suspicious by overzealous heuristics?
We make fun of DRM and how it does very little to stop pirates and all it does is inconvenience legitimate users. Well, AV is the same. A good blackhat knows how to make their stuff fly under the AV radar. Hell, there's a whole industry devoted to doing this (go Googling for FUD crypter and you'll see what I mean). The things that AVs catch are stuff like innocent indie software that used UPX.
And the benefit? Pfft. It protects against users doing stupid things. Now, for my parents, I don't trust them to not do stupid things because they have "gullible" written on their foreheads, so I do leave MSE on their system (and also stripped admin privs from their user accounts) (and I
still had to clean up two junkware installs this year). But if you're tech-savvy enough to be a regular at a forum like this, AV is
not something that will give you a lot of benefit. Certainly not enough to justify the intolerable costs that it incurs.