The only AV products I've found which actually do anything are SpywareBlaster and Malwarebytes, because MB actually blocks by IPs, and SpywareBlaster doesn't actively run, but sets kill bits and blocklists in browsers.
However, with an adblocking browser extension, Web based malware should never hit your system in the first place, and with click to play functionality, should not have a chance of being activated... and with a VM or sandbox, even if the browser does get compromised, it won't get past that.
As for Android, the weakness is that a lot of Chinese stores have little to no curation or filtering out bad stuff. Google does a decent job in stomping out the bad stuff, but I still think they need to go with two tiers, one tier as things are currently, and one tier where developers have to agree to more stringent rules, and the software has to pass more tests... that way, if a user sticks to the more curated tier, there is less chance of an infection happening.
One note -- the exploits we read about with Android almost always are related to either pirate repositories or "app stores" with little to no moderation. Even something like Cydia's ecosystem would be highly unlikely to have malware like this ever hit it it in the first place, and if it did, the devs would have it pulled in minutes to hours.
As for AV software, I use it on machines to make legal eagles happy. I've yet to see it actually actively stop a compromise of a machine. At best, it is good for scanning for 1+ day stuff. The real defense are the IP blacklists, hosts files, kill bits (SpywareBlaster is quite useful), Web browser extensions and click-to-play. The best mitigation if an infection happens are sandboxes (SandboxIE), virtual machines, and jails. AV was useful back when one scanned a floppy with the latest copy of Doom on it, but these days, it is more for the checkbox in paperwork than actual protection.