For various reasons: you probably have more endpoints on your network than proxy servers and thus a bigger attack surface. Keeping the endpoints up-to-date is harder (e.g. laptops that are not permanently attached to the network to receive updates). If your endpoints are workstations, human interaction (e.g. installing malicious software, opening malicious attachements) and the overall complexity of the system (e.g. GUI, multiple users) makes it weaker than a central, dedicated, isolated, stripped down and locked down set of proxy servers. And finally, process isolation is really, really hard (if your countermeasure _only_ runs on the target (endpoint), you already weakened your position).
