Long battle

At every place there was a theory which usually looks much like what you discuss - and then a reality which did not at all.

On Friday for example we discussed a work card for (I will change names to protect the guilty) "Raspberry scheduler upgrade?" marked as an Infosec problem. Trivial upgrade, small card, upgrading the Raspberry scheduler won't be hard why are talking about it? Ah yes, said the very experienced team lead talking, the thing you need to know is that the Raspberry scheduler machine xyz1234 was a really convenient system to dump other stuff onto either when it had no natural home or while waiting for Infrastructure to spin up a permanent home. So, if you just upgrade the Raspberry scheduler and tick done, either Infosec will make these other arbitrary systems no longer work OR they will re-open your ticket now with a higher priority saying you didn't fix it because xyz1234 still fails their checks. You need to go scuba diving in that machine, figure out absolutely everything we're actually using it for, document it and write more cards about all the upgrades needed to meet Infosec's requirements, but also please upgrade the Raspberry scheduler while you're about it.

At my last big corp Linux work, I had SSH and sudo on the production machines. I didn't want that access, but I had unsuccessfully argued against having it for maybe 5+ years before I quit for other reasons.