From a developer (yes a _user_!) point of view I am going to have to disagree with you on the performance hit being unoticable! Our company has both Read & Write On Access scanning enabled and I see McShield hit 30-50 percent of the CPU constantly. I would estimate (unscientifically) that I lose at minimum a hour a day due to the on-access scanning. Opening VS2008 and then a large project, compiling and updating the source repository is dreadful. Additionally using some other tools I have seen a 28 minute load time with McShield enabled to a < 2 minute load time with McShield disabled. I think there is a trade-off between being "safe" and complete nonsense. Additionally what I can not get through to Corp IT is that there is a difference between an M$ Office user, Engineers using CAD, and Software Developers.
On the plus side I get a couple of really nice lunches and breaks during the say when my computer is being safe for me.
This thread belongs in the VSE community. That said I did read through and I can tell you that not scanning "on read" does pose a security risk. Some infections cannot be detected/cleaned with scan on read disabled. Also perhaps when the machine was initially infected the DAT files did not have a detection for that threat but a subsequent DAT release does. In that scenario the infection has already been written to the HDD so the OAS would only pick it up if you had "Scan on read" enabled.