[Run_DOS_Run]

It's far easier to find 0-days in antivirus software than in common-used operating systems or servers (IIS, Nginx, ...). The attack surface is huge, the software often very old and written in a memory-unsafe language like C and C++ for performance-reasons.

I reverse engineered some antivirus products myself and the quality of most AVs is pretty bad. AFL (American Fuzzy Lop) without a custom mutator crashed some of them in less than 15 minutes at the most trivial parts like parsing a PE-file.

Also snakeoil-features like "anti-rootkit scanner" just compare hashes (sometimes MD5-hashes) of installed drivers. In past a rootkit could circumvent such scanner with IAT-hooking. In 2023 those scanners are obsolete anyway.

Also antivirus 0-days are far cheaper than for other software.*

* https://zerodium.com/program.html