The problem is more that nobody wants to be changing policy as they won’t see a benefit and they will get blamed. Get hit by ransomware (which your AV wouldn’t detect), you get blamed for removing AV and you’re after a new job.

Our password policy still demands periodic changes despite ncsc/microsoft/etc advice saying not to do that, because who wants to take the risk of changing policy.