He's right about AV code being shit. He's wrong on that being biggest impediment to shipping secure browsers. CompSci already created numerous secure browsers. Chrome architecture was even a performance, not security, enhancing modification of OP Secure Browser. The problem holding back secure browsers is none of the browser companies are using the proven techniques despite a number integrating with existing code. ;)

List of them was in this old comment:

https://news.ycombinator.com/item?id=9962444

Note: Illinois Browser Operating System (IBOS) and OP2 definitely worth looking up.