Well, I don't think that there are many organisations of any size that don't run an AV product, and I don't think that there are that many admins who think that they do much good. They are a CYA insurance policy, or as TH puts it: they let you check a box on a security questionnaire.

True security comes from policies and their enforcement by whatever means.

User education is a good start, but unfortunately is something of a Holy Grail in many cases.

TH mentions 18% which I am guessing includes all forms of attack? I do recall posting on here quite a while back about a UK security outfit who hired coders to write around 3500 new and obfuscated malwares. These were items that you would reasonably expect an AV to detect.

They then tested against 10 of the most common AVs and I don't think that any got more than 50% and most were under 30%.

Traditional AV is hindered in that it is reactive and retrospective, and looks for the malicious code of traditional malware. These days malware isn't so much what it is, but what it does. These are the days of cybercriminals, the days of lulz are pretty much over.