You're right, it is insane but they wanted to make sure they could advertise that their VPN
module would nearly completely isolate the workstation from the local LAN traffic.
In my case, many of my customers have policies that require the workstation VPN software limit
the client OS from talking with the local network for anything other than VPN traffic (makes
it a real pain to print locally).
Since I'm an outside contractor with VPN permissions and use Linux as my primary workstation
OS, if Cisco relied on running iproute commands to limit the connectivity, then I (as root)
could un-do that and break the security policy.
Sure, there are ways around it, but I'm too lazy to implement some of them, especially when
bypassing them could end up in job termination.