Well it it's not an ad for Trend Micro's Deep Security it is definitely a setup for one since there the only company that uses the VMWare's vmsafe and epsec api to achieve agentless antivirus, firewall, application control, deep packet inspection, virtual patching, and file integrity checking meeting 6 out of 12 PCI requirements all from a single console.
I deal with IT departments everyday for Hospitals, Schools, and other business in the South East and the biggest issue I see is lack of patching on Windows and Linux machines while keeping the virus definitions up-to-date. The IT departments know that patching is important but feel they can't patch an approved FDA device or the staff lacks the bandwidth to implement a proper patch testing cycle. The only solution that I see that consistently works for these type business is to virtually patch these machines with a host based network filter until they have been approved by the FDA. This also allows them time to test the new patches on their internal servers before rolling out to the rest of their infrastructure. No vulnerability = no mass infection.