That sounds really the wrong way around - the worst offenders in USB malware surely are flash drives that declare themselves as keyboards and input preprogrammed keyboard events (like the USB Rubber Ducky [0])!
(For your parenthetical I should clarify - it wasn't the case that it was impossible to whitelist other devices, it just had to be done on a case-by-case basis. I.e. you would call IT and say "Jen from accounting at machine foo123 needs her new ergonomic mouse to be recognized" and they would remote in, tell Jen to unplug and replug the device and whitelist that exact USB device id on that exact machine.)
It may be so, but I'm talking from experience - as a keyboard geek I have, over the past ten years, taken all sorts of weird keyboards (and mice) into various big banks with not a hint of trouble. USB storage, on the other hand, qualifies for an instant termination.
(For your parenthetical I should clarify - it wasn't the case that it was impossible to whitelist other devices, it just had to be done on a case-by-case basis. I.e. you would call IT and say "Jen from accounting at machine foo123 needs her new ergonomic mouse to be recognized" and they would remote in, tell Jen to unplug and replug the device and whitelist that exact USB device id on that exact machine.)
[0] https://shop.hak5.org/products/usb-rubber-ducky-deluxe