Back in the early days of the computer virus problem (the 1980s and 1990s), there was a certain plausibility to this question. Viruses began, in most cases, as mere forms of vandalism created by experimenters ("hackers") for their own amusement or bragging rights.

Multiple anti-virus vendors emerged with solutions, and eventually they started advertising their products based on various parameters including the number of virus signatures included. As these things tend to do, this briefly escalated into a "signature war" where each vendor claimed to have more signatures than the others. Vendors jealously guarded their signatures so they would have an advantage over their competitors.

It would have been easy during this era to imagine that there couldn't possibly be enough teenage hackers out there to create the thousands of viruses that the top vendors were claiming. In a search for other sources, one might assume that the anti-virus vendors themselves (who stand the most to gain) were creating the viruses.

A number of developments around this time (the early 1990s) tend to provide alternate explanations for the virus boom. One was the emergence of virus creation kits such as the Virus Creation Laboratory, which allowed someone with a very low level of expertise to create new viruses at will. Another was the emergence of polymorphic code, a technique where viruses would alter their own code specifically to evade signature-based anti-virus software. Multiple polymorphic versions of the same virus would sometimes inflate signature counts.

Because of the emergence of polymorphic code, many anti-virus vendors were forced to change their software (and their advertising messages) to get away from the idea of signature counts. Instead they used other heuristic ways to detect viruses. Frankly, trying to battle in the market over signature count is not a good long-term strategy anyway - your customers get tired of hearing the same message, it becomes costly to keep up your signature collection efforts, and so on.

This led to anti-virus vendors beginning to cooperate with each other on signature collection. For a long time the Wildlist was a one way the vendors very quickly handed over new virus samples to each other, so all vendors would be able to respond to new threats in a timely manner. This continues to this day in sites such as Offensive Computing, where millions of samples of actual malware are available to logged-in users. The standards committees have even gotten involved, with the IEEE forming a malware working group to develop standards for rapid sharing of malware samples.

Logic would tend to dictate: if the vendors are rapidly sharing samples, why create new ones themselves? And indeed, anti-virus vendors have always reacted negatively when others have publicly created malware for various purposes. Examples of such backlashes have included against a college class in 2003 and against Consumer Reports in 2006.

As the tagging on this question would suggest, it is more correct now to refer not just to the virus problem, but the more general malware problem. This includes such concepts as the botnet, something we never saw in the early pre-internet virus era. And that change in definitions leads us to the biggest alternate explanation for the explosion of malicious code. As before, the explanation involves money.

There are hundreds of ways to make money online, and many of them are well suited to abuse. This has resulted in the emergence of large numbers of cyber criminals who take advantage of these forms of abuse.

These monetary incentives include:

All of this creates a tremendous monetary incentive to evade signature-based anti-malware, so polymorphic malware and rootkits have proliferated amongst these online criminals. A current article indicates that as a result the very idea of signature-based malware detection is dying, and has been for some time.

Lone hackers still exist, they are by far a minor component of the modern malware problem.

Bottom line: no current anti-malware vendor would ever see the need to create their own viruses or malware. It is everything they can do to keep up with what's out there.

[Disclosure: I've worked for computer security software vendors, but have never worked directly on an anti-virus product. I have taught classes in how to reverse-engineer malware. The Offensive Computing site is run by a friend of mine.]