Antivirus software should not be the only protection on a company, for computers running Windows a Domain with Group Policies should be in place to protect the machines and to restrict what users can/ should do.
If the users can do anything then go with ESET because it's one of the few that will block the install of most crapware...
You're totally right on that. Domain GPOs (and also Local GPOs) add a very good protection to computers connected to a domain and are quite easy to maintain (at least, for Domain GPOs, gpupdate /force is a command I abuse of), but only when you have a good Sysadmin (or 2-3) that have the resources necessary for it. Where I work, they have all that and it goes really well, althought there's always one or two malware that manage to slip by (this is what happens when you give a hundred employees that aren't really security-aware Admin Rights on their work computer).