[loeg]

I don't agree with you on (1), so I think we need data.

(2) is creating an entirely different argument from blue sky. You're putting words in my mouth.

I support installing ad-blockers to reduce attack surface.

Removing Flash and Java is more nuanced. Most non-advanced users expect Flash sites to work and many non-advanced users need Java sites to work (e.g. enterprise internal crap). I think click-to-play is a decent mitigation here that non-advanced users can understand.

Maybe disabling Java is okay, so long as they really do not need it for anything. Disabling Flash is a harder sell.

[01Michael10]

Well in my experience as I mentioned in another comment is regular users with no AV solution will get infected almost 100% of the time in a short period of time. The same users with a good AV product I usually don't have to deal with them again. I have no idea how anyone couldn't agree AV solutions have a use.

I didn't put any words into your mouth but was just pointing out better things to do to reduce your attack surface than not installing AV. Java is dead and I can't recall any site needed to use in years that requires it. Flash doesn't need to be installed standalone at all anymore and shouldn't be. When a site requires Flash I fire up Chrome which has Flash built-in and is of course way more secure.

AV does have limited use for advanced users... I have gone back and forth between having a 3rd-party AV solution installed over the years. I have a high end PC and the product I use has little impact resource wise so why thinking is why not?