poor security is not a problem, it's a set of symptoms
Just like you can't pop a pill that'll make you fit and healthy, you can't plop a "security" product into an environment and solve all your woes.
There are, in fact, many parallels between being a healthy person and having a secure computing environment. In fact the process of being secure, like the process of being healthy (or having a good job) are often referred to as having "hygiene factors" as, like personal hygiene, they don't make you healthy/secure, but they stop the opposite from happening.
Like keeping good health, you have to practice good security throughout everything you do. Getting a tan is like installing a firewall - superficially, it makes you look healthy to the outside world but does nothing to prevent internal problems from occurring. In a secure environment, it's not the tools you deploy that make the system secure, it's how you approach the whole issue (though, obviously, the right tools help).
So what we find is that whether a security issue is classed as "malware" (a nice excuse), internal people, accidental or whatever - the underlying cause is that the systems in place and the people behind them allowed a problem to occur. Adding more stuff won't help unless the mindset of a company's employees are changed and the directors of the company are prepared to back them with the policies and money needed to take a professional approach.
Sadly the security industry is packed full of snake-oil sales people, proffering a quick solution. It's also packed with decision-makers after a quick-fix, due to the short-term planning and results based reward sysytem of most companies. Plus of course, there's no objective way to reliably measure how secure a system actually is.