Well, I agree that AV most likely wouldn't protect you against targeted attacks - but most of the attacks that we investigated were targeted quite broadly - phishing email campaigns targeting financial organizations (with address lists based on some hacked legitimate resources for accountants, for example). And usually these attack succeeded because of insecure infrastructure, poorly trained admins, old, non-updating systems (some people still think using Windows XP on internet-connected computers is fine), and lack of AV software.

> most of the attacks that we investigated

Isn't that a case of the survivorship bias? Or at least the broader case of selection bias?

What do you mean, exactly? All I want so say that while targeted attacks are the most difficult to defend against (well, by definition), it is the medium-sophistication-level attacks that cause the most damage (in my experience), just because of their volume. It's not some state-of-the-art APT malware, it's bundles of RATs + generic backdoors/keyloggers packed in SFX archives, that are usually quickly detected by most AVs (provided that AV bases are regularly updated).

Maybe some of them thought they were fine if they were using AV software? I know what you mean, but the marketing departments of many AV vendors praise it like some kind of all-around solution. I'm pretty sure some people think they can get away with disabling updates etc. and than just buy AV software afterwards when they feel they can't handle their systems anymore.

Maybe the perception that you can achieve some kind of security through band-aid solutions is exactly the cause for the lacking security of many organizations?