Even if 3mil machines are actively and currently compromised,
of all reachable hosts on the Internet, it would not be unreasonable
to assume that %80 or more are vulnerable to remote compromise
in some way. That number is speculative, but most estimates from
consutling firms are much higher. (Based on hundreds if not
thousands of penetration tests against corporate networks with
a %90+ success rate).
So of all possible 0wnable machines (including those without basic
anti-virus protection) I would personally speculate that the 3mil is
a pretty low estimate.
What these sort of stats mean is that ultimately, the Internet is not
in a state in which security controls can easily be added, mostly because
of the high degree of autonomy and relatively low level of sophistication
of each host and user on the network. The other reality of this is that
even if hackers aren't directly in control of that most machines, it would
not be inaccurate to say that due to the intrinsic risks in being connected,
users aren't really in control of their systems either.
Security tools are the same as any other software in that they are controls
that you add to a system to optimize it and extract value from it. These studies
show that there is still lots of room for optimization (read: buy their software)
and the implication that there is value in those optimizations.
So yeah, buy more software. 
TEXT.htm (4.03 KB)