A pure antivirus is surely becoming pretty obsolete today, as you said. Which is why I'm running MSE. Free, small footprint, very small impact. It sure doesn't take care of everything depending on what you test for, but it's decent for the standard things. As a contrast, the only two time's I've been infected was back In the XP days when the first time, I wasn't running anything at all, and it just deleted my whole drive, although data was recoverably, the second time I was running a known good one, Nod32 which at the time, had a very good record, and still got infected because I ran an executable of non-reputable origin. I Thought it was the same as I had used before, but alas, it wasn't. It was a dropper infection that downloaded a slew of other things. Had to clean that one up manually by setting blocks in the firewalls against everything not safe, then tracing all file changes and activity through the sysinternals toolset. It was alright, but was a bit hairy since I could only do it via RDP since I wasn't living at home at the time due to reconstruction.
After that I make due with MSE and good habits instead. Where the last part is what really counts. You can get hit by things anyway, but being educated and not doing stupid **** it was makes the biggest difference today. At this point I only wish I had a better firewall that could run a few of the better services, but that requires more money at this point then I want to spend. So my Juniper SSG-5 have to make due for a while yet until I upgrade my internet to >100Mbps.
If you look at the enterprise side, there is AV around, but that AV usually is integrated with malware/adware protection and seconded by a slew of other tools that do patch management and logging of activities'. On the infrastructure side, you often have a slew of different things that is layer upon layer of protection, and pure AV, is a very tiny thing of that. But at current, a normal enterprise might use the following combination of tools depending on the design.
* Firewalls - duh. segregation and perimeter protection, today with the next-gen firewalls, often integrated with several of the below categories.
* Spam Filtering - Either in house or a hosted service, or a comination, often reputation based with a certain measure of heuristics. Funny thing is that you can easily see that about 98-99% of all email are thrash and not legitimate emails.
* Proxy + inline AV-scanning of all downloaded files and web streams.
* IDS/IPS - Protection of things not in the AV realm, often part signature and behavioral based .
* Anti DDOS services - Inline boxes outside of the firewalls for slow-attacks, hosted services alá Arbor on the ISP side for the volumetric DDOS.
* Dynamic Malware protection - One of the latest things that are up and coming, not all too common as an every day tool, but becoming more available. I've only had training on the FireEye products, but the big point of this category is that it works mainly on behavior and correlation on what the programs does itself instead of only relying on the communication streams like an IDS/IPS.
* Security Monitoring - basically, a way to add intelligence and correlation on top of all the other services doing logging and correlation of all the above sources to catch things that neither of the other product based things would be able to catch because they only see a subset of the activity by themselves.
That's only the technical side. On the soft approach, having a developed critical thinking spread out over your workforce and have good processes in how to handle sensitive information is pretty much a must of you want to be safe. The products above do a whole lot for the everyday security of people surfing the web, etc, but they really doesn't do much against either insider threats or not necessarily people with bad habits that drag bad things in from the outside or the home through various means. You could of course do hard measure to protect against several of these too, but there is the other side to, doing to much hard blocks, also makes it harder to work and have a flexible workforce that get things done, so it might just cost more then it gives you. Education and having security in mind from the start it was makes it really successful, especially in development. If it's not there from the beginning, you will have a lot of trouble in making something truly secure since it's only a tacked on piece on the side.