So many users (and a lot of IT departments, unfortunately) viewed their anti-virus products as a magic forcefield to protect them from threats. That's how they were marketed always will be. It's not just security vendors; salespeople from any vendor will tell you that it dishes out soft-serve ice cream if that's what it takes to get you to buy it. What amazes me is how so many companies still buy into it and turn to new security products looking for that same non-existent magic force-field. I had hoped the mindset would get better in the current threat landscape, but I'm not so sure it is. I still hear customers asking "Why didn't product X protect me?" in situations where they should have already known full well that it wouldn't do jack sh*t against the particular threat that was encountered, and they didn't have other crucial pieces of the security puzzle in place. (Social engineering, anyone?).