I addition I read somewhere that the more complex an AV is the more likely it is to be exploitable. From this point of view a simple static signature scanner (clamAV?) is the least exploitable option. Least exploitable thus seems in contrast to most effective. Yet another trade off I guess.
The more complex ANYTHING is the more vulnerable/exploitable it is going to be in any industry really. There is something divine about simplistic yet functional creations of all types. German tanks in WWII were incredibly effective 'when' they worked, but incredibly complex and almost always broken in some way. Boxer engines are more complex and hence, generally they are more unreliable.
Some AV's always appear like a mish-mash of different things thrown in resulting in a complex and likely more vulnerable final product, and without a doubt more bloat. The simplicity and elegance isn't there with most products and I feel that's one area in which the industry fails. This is actually why I appreciate the simplicity of some solutions, like Cylance while I detest the increasing convoluted nature of other suites.
I recently reconstructed the entire network infrastructure of my home. A big part of that was simplifying it and making it more elegant. Running shielded 550Mhz Cat6 direct to each device off a central conduit. Moving many wireless devices to wired. Removing multiple switches from the home. This was done precisely to eliminate potential vulnerabilities and failures within the network.
Simplistic elegance is what's missing from the AV industry and nobody seems willing to step up and address that - apparently. I actually miss Nod32 for this reason. Anyone remember the old Nod32 with the tiny modular interface and no bloat?