Here's my 10cents. AV works, EDR a bit more so, i.e. It blocks lots if stuff and stops many bad things happening. Pen testers may laugh at it, but most organisations day to day threats are malware related not Pen testers or targeted attacks . Will it stop everything? No? Does that mean don't use it? No. Does it mean targeted attacks won't happen? No
Would whitelisting be better? Yes. Can it be rolled out at scale? yes but never commonly happens as it's a PITA.
I seem to be saying this everyday now.. 'Don't left Perfect be the enemy of Good'. Security people seem to be amazing at letting crap happen because it's not the perfect solution.
In the medical world they use these definitions: Nice definitions
"Effectiveness :How beneficial a test or treatment is under usual or everyday conditions, compared with doing nothing or opting for another type of care.
Efficacy: How beneficial a test, treatment or public health intervention is under ideal conditions (for example, in a laboratory), compared with doing nothing or opting for another type of care.
Empirical evidence : Evidence that is based on experience (observation or an experiment) rather than on reasoning alone."
Do we have Empirical evidence that AV/EDR is effective? Yes.
We need to focus more on what's effective not what's perfect (I.e. Effectiveness v Efficacy)