Of course you should be able to respond on security incidents. If you have a security incidents it's often too late and security boundaries are already borken. In the long term we want to have secure systems which are secure by design and by default. We have to invest heavily in incident response because we have have all of these shitty and broken systems. We should already have started heavily on building secure systems and secure languages and should call on everybody to invest time to build these instead of building reactive technologies like AV.