Accuracy
A monitoring program assumes that viruses perform actions that are in its model of suspicious behavior and in a way that it can detect. These are not always valid assumptions. New viruses may utilize new methods which may fall outside of the model. Such a virus would not be detected by the monitoring program.
The techniques used by monitoring tools to detect virus-like behavior are also not fool-proof. Personal computers lack memory protection, so a program can usually circumvent any control feature of the operating system. As a part of the operating system, monitoring programs are vulnerable to this as well. There are some viruses which evade or turn off monitoring programs.
Finally, legitimate programs may perform actions that the monitor deems suspicious (e.g., self-modifying programs).
Ease of Use
Monitoring software is not appropriate for the average user. The monitor may be difficult to configure properly. The rate of false alarms can be high, particularly false positives, if the configuration is not optimal.
The average user may not be able to determine that program A should modify files, but program B should not. The high rate of false alarms can discourage such a user. At worst, the monitor will be turned off or ignored altogether.
Administrative Overhead
Monitoring programs can impose a fairly heavy administrative workload. They impose a moderate degree of overhead at installation time; this is especially true if several different systems are to be protected. The greatest amount of overhead will probably result from false positives, though. This will vary greatly according to the users' level of expertise.
On the other hand, the monitoring software does not have to be updated frequently. It is not virus-specific, so it will not require updating until new virus techniques are devised. (It is still important to remain up-to-date; each time a new class of virus technology is developed, a number of variations emerge.)
Efficiency
Monitoring packages are integrated with the operating system so that additional security procedures are performed. This implies some amount of overhead when any program is executed. The overhead is usually minimal, though.