You are both right and wrong.
It is the fault of the IT staff, of course.
However, you are very wrong in saying that availability (in terms of resilience to malicious software) of a mission critical system is achieved by installing decent AV and keeping it updated. And if you call that done you would be very well done working for me.
The number of times I had viruses which no engine with latest signatures was yet able to recognize (so, yes, really new) was less then a dozen times (in two years working in Southeast Asia), but it was definitively not fun cleaning those.
Sysinternals' tools were very usefull as process explorer is really a decent tool which was rarely specifically targeted by malicious software and autoruns was able to disable quite a lot of suspicious things. With these two, normally I was able to disable things AV software would not pickup (or was not able to clean). Some sort of honeypot was useful to detect unusual activity. Locking down the OS helped and keeping it patched is no small thing. Having another OS (mac, linux) as a fail-over option for desktop stuff (for regular users) was also in place and paid out a few times. Booting live Linux distro for cleaning purposes was used a few times, but that's for viruses that are already in signature files (or that you have mapped out). Of course, backups are a must. Checking for rootkits was done periodically. Educating users and having policies was something we did, but it is hard to measure if that worked (if it actually saved any work). Any server service that could go on Linux was moved to Linux. Every little bit helped.
Our systems were not mission critical. The few infections that were successful were hard to clean, but luckily the payload of the viruses in question was mostly harmless in terms of damage to files and services. I really don't like to think what would have happened if these infections were more malicious (for example if they locked and/or damaged documents).
So, yes, US and Europe get new malicious software with a slight delay which is enough for AV software to be an order of magnitude more efficient here, but 0-day exploits and new viruses that can not be detected by AV software are not myths and on a vulnerable OS they are a big part of your security considerations, your continuity plan, IT policies and they do take more resources to achieve approximately same level of system resilience as an OS that is more secure and has less threats.