Originally OV allowed file-based certificates (pkcs12) and EV required an HSM. But since June 2023, now file-based certificates are no longer allowed[1], you need to certify that your CSR comes from an HSM (just paperwork, nothing technical) as part of the issuance request.
Smartscreen, AV warnings, etc use a reputation-based system. No amount of money makes you truly immune from warnings, but paying for EV does give you a higher default reputation. Since there is no longer any file-vs-HSM distinction between EV and OV, it is simply a cost for more default reputation. Any business will pay it easily.
(My prediction is that OV/EV will consolidate to a single offering, in the same way that EV for web SSL has been phased-out.)
Azure Trusted Signing is an all-in-one service that creates keys, purchases the certificate, and hosts the HSM for you. It's still OK to do all these things separately e.g. purchase the cert from Globalsign and use Azure Key Vault as the HSM (you have to pay for the 5 USD/mo service for the larger key size, instead of the cheap one).
Although I think even OV require HSM now for local, with some options for hosted services like Azure Trusted Signing.
But I really don't know. I read details only to end up not certain.