@david_chisnall While I mostly share your views, as a (former) red teamer I have to tell you that endpoint protection is a massive PITA during initial access. They can always be circumvented of course, but a major pain point is that you (as an attacker) can't test the exact configuration that your target(s) run, esp. with cloud analysis that changes by the minute. (A related concept is binary reputation, that will immediately flag unique binaries).
Click Fix and similar, convoluted attacker techniques have evolved exactly because you can't simply deliver malicious executable code to the target environment these days.