Virus scanners are also REALLY easy to evade.
Take anything from your inbox, even years old, that's malware.
What things like VirusTotal show you is that anything can be a virus, and also that even the things that packages think are viruses aren't necessarily (e.g. an awful lot of apps are detected as "malware"... everything from sysinternals tools to scripts from Microsoft's own knowledgebase. Because they have, or could, be used maliciously).
I'm fairly sure I could knock up a self-replicating drive-wiping virus in a few hours. A bit of tweaking and I bet I could get it past VirusTotal with a clean slate. Should it ever run rampant, and end up on the signatures list, I could make a variation in minutes that would slip past the same scanners again.
Generally speaking, I'm the one telling Sophos that something that came into work is a virus, not the other way around.
And there are private and manufacturer-supported tools that do exactly this - have a VirusTotal-like equivalent sandbox for people to check their apps aren't going to be blocked on release, to submit and test things that might flag, etc. And you can guarantee that the bad guys have the exact same services available to themselves (hey, they don't even need to worry about licensing the antivirus, do they, really?).
The number of actual malware websites is pitifully tiny, and obvious the second you hit them. Any modern browser is defended by "Don't hit download and then run the program it downloads". The browser DOM does more than antivirus, or low-privilege sandboxing setup programs, ever did.
Though it could be helpful, there are browser extensions that do just what you say already. But it's a false sense of security. A VirusTotal check will happily let you download all kinds of crap, but will stop you getting basic admin tools off microsoft.com and things like that.