Yup, desktop malware protection can only be the protection of last resort nowadays. If the malware gets to the desktop, even if SEP stops it, you're already in trouble.
Why? Because many pieces of malware package multiple exploits into one download. If you can block it at a proxy, then the page or download gets stopped entirely regardless of how many other exploits it contains. SEP on the desktop may stop exploit #3 but #1, #2, #4 and #5 still run on the desktop on your internal network.
You say you can't afford it? "Pay Me Now or Pay Me More Later." How much is it costing you in time and effort now?
Ray