I and everyone I know use Defender alone on default settings. 0 infections and we're talking about average users that don't really know how to recognize scam, let alone what is malicious and what not. Windows Firewall is also more than enough as it blocks internet access to all new apps by default. I'd even argue your router firewall is even more important than Windows one.
And don't be fooled,
@Andy Ful 's configurator is only as powerful as Defender/Microsoft, lets it be. His app doesn't do anything magical, just changes some settings for advanced users through registry. Something you could achieve simply by going to Group Policy Editor and changing the values yourself.
Some kind of security DNS (Cloudflare, Quad9 or ControlD) + Google Safe Browsing and maybe some kind of security extension like Bitdefender Traffic Light if you're really paranoid, will do much better job than any antivirus software regarding web protection. And it costs you exactly 0,00€.
Security DNS servers usually use more than one threat intelligence source, along with Google Safe Browsing and Bitdefender Traffic Light, you're getting way better protection than just using one antivirus vendor.
I personally use Cloudflare Zero Trust + Google Safe Browsing in Firefox + uBlock Origin.
uBlock Origin is better because it gives user way more control than AdGuard extension. It also supports more syntaxes so pretty much all filter lists work in it correctly. And... it's way more efficient in resource usage than any other ad blocker out there. I'm talking about MV2 version, of course.
Ehm... why?
You forgot one, if not the most important thing. Hackers target companies, not you as an average Joe. They are aware you won't pay ransom, companies might not have a choice if they want to continue functioning.
10 years ago, if not more, hackers targeted indiscriminately; it didn't really matter if you were an average Joe or the company. We were equal. Nowadays, they exclusively attack companies because why waste time on you when they can earn way more money in enterprise sector. You can clearly see this in ransomware attacks. Everyone was attacked when it came, now you rarely see someone getting it and more often how some company or hospital got attacked.
Finally someone with common sense! THANK YOU!
Everyone is free to use whatever they want. We're just pointing out that you don't need to spend hundreds of €/£/$ yearly in order to have excellent protection. I most of the cases, free products will protect you even better than paid ones.
I'll just comment on comparison regarding ISP routers; at least in my country, 99% population uses ISP supplied router. It's fast enough and people don't mess around in router settings. This way they don't have to buy equipment, set it up themselves and ISP takes care for everything in case of any issues. The only benefit of using your own router is having total control and way more features than ISP router couldn't even provide. But still... the fact is 99% of people don't need the features my own router has; people only want fast internet access and that's what every ISP-issued router will provide.
For me, 3rd party antivirus software is simply a scam. Just look at "protection modules" that your "antivirus" software offers. There's no better example than Android antivirus apps; these apps are everything except antivirus.
www.malwarebytes.com
Also the same Microsoft's automatic analysis decided that the Android mining and banking malware that I submitted are not worth analyzing. Status "Submitted" means the AI has decided to ignore it. 
