Maybe some of them thought they were fine if they were using AV software? I know what you mean, but the marketing departments of many AV vendors praise it like some kind of all-around solution. I'm pretty sure some people think they can get away with disabling updates etc. and than just buy AV software afterwards when they feel they can't handle their systems anymore.
Maybe the perception that you can achieve some kind of security through band-aid solutions is exactly the cause for the lacking security of many organizations?
Maybe the perception that you can achieve some kind of security through band-aid solutions is exactly the cause for the lacking security of many organizations?