this is probably around whaling and spearfishing
This is probably about installing keyloggers and remote control services more than self-propogating code. You can buy malware to put in an email or host on a website; the goal is not to spread like a virus (thereby giving copies of itself to security firms) but to remain in use in a limited pool of interesting machines and be unlikely to be picked up.
The professional malware industry periodically seed malware into residential IP space to find out if a/v companies are hiding honeypots in them. They know if there are honeypots there, since all of a sudden the signature blocks recognize unreleased malware. (Saw a great slide illustrating a post to a malware forum on this topic a few months ago.)
This is the kind of stuff that folks pay reasonably well for, and is likely to be undetected for months after its initial release (unless there's good network reporting and someone has time to read the sensors and has time to analyze, rather than simply reimage, a compromised machine and they have time to find the original source of infection and escalate that to their a/v vendor. How many machines are you administering? How many of the above processes are automated and hence efficient at most companies? Just the reimaging one. Guess which one managent favors over forensics?)
I see malware sent to users with titles at and above director, and the a/v on server never sees it, and the a/v product on the workstation never sees it. The best stuff is the stuff embedded in word documents, since there's no way to tell the corner offices that henceforth, we're blocking .doc at the gateway. The outbound filter often does block it phoning home. Does it always? Of course not.
Samples of these targeted malware loads submitted to symantec, mcafee, etc. shortly after their purchase would cost the client who'd violated the EULA dough. It would likely lead to earlier detection of the stuff, and an awareness that the CFO's password at the payroll site was blown. Generating new malware is basically free; once you've got the tools to flip a bit in your malware, or repack it with a different packer, you're going to bypass the next signature update and be able to supply your compliant customers with a/v evading product. But if your target is now extra-suspicious, you may not get a second chance to install a keylogger on that CFO's system.
The threat of reporting to the a/v community is a pretty good one. All that a/v can do by itself is react to past threats; you buy it because you have to, and because a lot of malware is crap software that does re-use enough chunks of old attack methods that it may be picked up.