This wasn’t really true in decades past - there was a cat and mouse game where often it could be detected because the virus wasn’t perfect at hiding its activity and resource usage – and it’s become far less so in the era where even consumer hardware has virtualization features which allow even kernel code to be restricted. Even Windows is starting to use that to prevent malware from accessing secrets (e.g. Credential Guard) so I wouldn’t treat this as the ring0=game over situation it was in the 90s.

A more accurate phrasing is that antivirus software can positively confirm the presence of malware but it cannot on its own definitely prove the absence of ring0 malware. For that, you need an Apple-level secure boot process to give confidence that the code is running on an unmodified, unvirtualized kernel.