As an IT admin, the first thing you should put in practice is Best Practice. The fact that so many Fake AVs get installed from the fact that an End-User CAN install anything and everything is already as stated above: "as if someone's else’s fence should make up for your lack of one" and you relying on an AV product to protect you from yourself...
I have also heard the argument many times before about not having deployment servers and all the rest, but there do exist open source solutions for small to non-existent budgets for capabilities in deploying. GPOs and scheduled reboots to roll out deployments etc.
But hey, that's my opinion and mine alone. I don't work for Symantec, but have been in IT for over a decade and in all my career, never once have I ever had to deal with a Virus outbreak or infection. In both closed and open environments, with and without access to the internet.
Nothing gets connected to my network if it shouldn't be there. No thumb drives, floppies, phones, laptops. No cracks, installers or anything else from the outside. Evaluations, demos, etc. Not on production machines.
But than again, for incoming corporate e.mail we do rely on Kapersky, ClamAV and Symantec. OVerkill is better than no kill...
And MACs do get infected as well- apparently. Never personally seen it. Could be a myth.
But, MACs are the single most vulnerable issue to any network. There is no such thing as a secure MAC. Microsoft has a 3 finger salute to "protect" the login process, MAC has a 2 finger salute to avoid it...
My 2 cents.