Oh, I agree, but the existence of horrible things like Oracle*Mail
indicates that if you think you have to scan everything that might, say,
contain email that might be read by people using vulnerable clients, you
have to add a virus scanner *inside the database* as well, to scan
everything going to and from tables.
Likewise you have to add a scanner inside everything else that maintains
structured/transactioned data storage.
Even discounting the security-brokenness of 'excluding the bad software',
this obviously will not scale.