One of the things that appears to go unnoticed is the number of bits of monitoring, logging, AV, management that are installed, all with a nice little agent that is running as close to the kernel as possible. The actual agent may be perfectly secure but if the system is is sending back to or managed by become compromised you are in trouble. Many of these don't have any sort of reauthentication and are running as some system user. It can only be a matter of time before something like the Solarwinds issue hits a solution with a client. The more oif these tools that are cloud based also gives me concerns. You are entrusting yet more of your security to other people and as we all know, security is only as good as the weakest link. In this way going for the single point that has access to hundreds of systems is well work the effort. Going after some cloud-based AV solution would potentially give you access to millions of end points in one go.