There is one more case when I'd argue that AV software are useful: for money-less kids (and adults) who want to play PC games. Just because you have no money to buy a game, it doesn't mean that you can't play it. But frequently free games come with unwanted extras - and that's when an AV is not useless, in the optimal case.
> Internet routers don't run AV, even though they are directly exposed to all sorts of traffic.
And yet, consumer routers get regularly pwned, and join botnets, and turn hostile against the users and/or the Internet, because they are so appallingly opaque that you can't even tell what is going on with them, what traffic they're sending/receiving, or what tasks are running in their kernels.
I would be unsurprised to learn that enterprise-grade network appliances are often opaque as well, in terms of what backdoors or trojans have been smuggled into them. Many of these have disused management interfaces, and nobody really checks up on them, so long as they perform as expected.
By contrast, a machine that's in use by humans will "feel different", and admins often notice compromises because they're regularly checking up and troubleshooting normal operations there. In the end, it really depends whether the malware is stealthy or disruptive. The stealthy stuff is why you install good countermeasures!
I recycled no fewer than 3 consumer routers that were all pwned, or highly sus, and definitely afflicted with unresolvable zero-days, and now I rent ISP-managed CPE. It's the only way.
20 years ago, I was taking turns playing games on a friend's Windows PC, and we turned up a nasty worm that was commandeering all his image files. I manually excised the worm from the filesystem, because he hadn't been running any antivirus software. Later on, I found a neighbor's PC she'd inherited from another neighbor--totally infested with adware and worse, had completely taken over the browser. No antivirus to stop it. I installed some free tools and got it under control for her.
The truth is that many users are extremely naïve and uncautious with their behavior. So they'll need something else looking out for them.
It's true that anti-malware software for edge computing devices is often more trouble than it's worth. It's also true that your good hygiene and overall security posture counts for more when defending against common attacks. But it's also true that hackers will find a way, so detection and recovery is paramount when some device eventually succumbs to compromise.
> and now I rent ISP-managed CPE. It's the only way.
An ISP provided consumer grade router (and that's what they all are) isn't any better than the one you buy yourself and almost certainly worse.
My ISP uses 802.1x and I bypassed it completely by pwning the provided router to get the keys.
The only "way" if you're concerned about security is to run your own gateway with whatever Linux, FreeBSD (*sense), or OpenBSD suits your particular needs.
You can of course run it behind a ISP provided gateway in bridge mode, but I always prefer to get another cheap piece of hardware out of the chain if I can.