Lets start with some statistics:
99% of all workstations with up-to-date antivirus
Antivirus blocks over 99% of all malware.
That is amazing! That is great stuff to show the IT Director, CIO, CSO, mom and to put on the wall. But, yet, a company I know (not the one I work for) still managed to get a virus which brought about some painful downtime.
The virus was one of the 1% that the antivirus doesn't block and it spread through the organisation like wildfire. Essentially the saving grace was that it infected a small part of the network, brought that down and didn't spread from there. Luck. It was also non-destructive other than network downtime. Luck.
The metrics lied.
You could say that there was residual risk but it really looks quite small. What is 1% between friends? But that 1% is precisely what any hacker (or virus writer etc) worth his salt is targeting.
So, where to from here?
I won't throw the baby out with the bathwater. 99% of PCs with antivirus is certainly safer than 50% or 0%. 99% of PCs fully patched is safer then 70% or even 100% of PCs almost fully patched. But 99% of PCs with antivirus is not a guarantee that no virus will find its way to destroying your network. It is important that your boss(es) know this and more important is that you know this.
And have plans in place when the 1% risk becomes reality.