Perhaps I will open America to someone, but .. With brains.
Actually, if there is no way to use * nix's, then there is only one way out - to greatly increase the literacy of network users. A properly used system will not give a single chance for a virus to get into the system, except, ofk, for huge security holes.
That is, we set up group policies, only what is needed for work. The rest - or nafig, or in the sandbox'e.
By the way, sandboxes are an interesting thing. Not so long ago, I conducted an experiment that surpassed all expectations: I installed and configured a chromium-based browser that saves everything in sandboxes. Everything that is downloaded gets, so to speak, into the root sandbox. Any executable that runs inside a sandbox gets its own fully isolated sandbox. For reading - everything within root'a, for writing - only to itself. The only way to get full access to the file systems is to run from outside, but only the admin can do this. How did he exceed all expectations? Yes, xs, I didn’t measure viruses, but it became possible to surf pron normally =)
Well, and one more thing - all servers are only * nix, root only from local, sudo wants a root password that only the admin knows, ssh for separate passwords 8 characters long from anything.

You can add analysis of incoming e-mail for attachments of executable files, scripts, links.
First, manual analysis, if you are surprised by what you find, then try mail gateway.

The task of protecting against malicious code (viruses, etc.) should be solved in a complex way:
- strict but reasonable restrictions (Internet, user rights, installed software, connected devices, etc.)
- anti-virus protection in several levels (several vendors, it is more difficult to maintain , but also more difficult to bypass)
- software update policy (OS, application software, hardware firmware)
- traffic monitoring (IDS / IPS, DNS traffic filtering services, blocking unused protocols)