IMO there are some slight "epistemological problems" with the discussion here... I don’t want to sound like this thread’s smartass — I know it’s just a relaxed forum discussion, ahem — I'm no security expert, but : there are no clearly defined (precise) parameters to make objective comparisons. And no real hard numbers or studies.
From what I've read, the "[what's really] necessary" parameter (the expression used in the thread's subject) is mostly used in subjective ways, as very personal evaluations of what's essential, without defining much the most important other singular-individual and plural-contextual factors (hardware, software, human environment, network, the computer literateness of the person using the computer, etc.). (and yes, I kind of understand that the question is about finding the right balance between usability, performance, and security).
Without any term definitions, what would an "essential, indispensable" security measure for Windows be? Only an up to date OS and a computer security literate and responsible user (now... define that!)?… Anyway. Then if I want to go beyond what's "necessary" I guess I'd probably add a router or a basic firewall, and a capable anti-virus? Then, what? I might add an HIPS, sandboxe, etc.?
PS : Apart from the usually pretty tangibles performance drawbacks linked to some security software, I wonder how does one know that her data isn't just flying through multiple wholes, open ports without her consent (it’s not like there will suddenly be files missing in a folder… like if these where books on a bookshelf!)... Is the "I ran my computer without a firewall without a firewall — or win XPs basic firewall — for 3 years without a single problem" convincing? How can one be that sure that the computer ran "without a problem" and that all data stayed quietly at home? Sounds like an homeopathic arguments to me...