In February I blogged about a vulnerability in a Trend Micro product that exposed systems "protected" by this anti-virus software to remote exploitation. Symantec provides another example that running anti-virus is not cost free: Symantec false positive cripples thousands of Chinese PCs.
Now, according to Symantec may compensate Chinese users hit by buggy update, Symantec may pay companies affected by its botched signature update. Trend Micro apparently had a similar problem in 2005, before I was blogging about these dangers; it cost TM $8.2 million.
Please keep these stories in mind when you hear people claim that adding any security software to a system is automatically good and justified because of "defense in depth."
On a related note, this story pointed me towards the English language edition of the Chinese Internet Security Response Team blog.