That's all well and good. You understand that. So do I. And probably so do the engineers at Microsoft. But that's not the problem. Let's be real, this is no longer the Swiss-cheese-security Microsoft from the NT/XP. As much as it pains me to admit it, their engineers, at least, have a clue. Moving AV out of the kernel was likely in their backlog. But I'm sure you're as aware as well as I am that engineering teams often have more work than time on their plates, and "nice to have" has a tendency to become "If it ain't broke, don't fix it." And Windows AV wasn't broken... in part because those same engineers knew about the risk and used compensating controls to mitigate it; in this case, by locking down ring 0.
And all was well until some pinheaded pencil-pushing bureaucrat with not a whit of a clue about computers, operating systems, kernels, or InfoSec was given some power. And like all sad little people who are out of their depth but are entrusted with some, he or she decided to pull a "Respect mah au-thor-i-tah!" flex and ordered those engineers, about whose work he very obviously has not the smallest clue, to open up ring 0 to every random fly-by-night outfit with inflated ideas about their own competence, like CrowdStrike.
Yes. Making your kernel more micro and moving AV into userspace is the smart move. But the way this came about was unnecessary and profoundly, catastrophically, stupid.