MSFT also allows arbitrary installation of software and development systems. They do force updates, scanning, and other common security best practices.
On the machines people use for Livesite support ("Secure Access Workstations") it's a different story. Those bad-boys are locked down from the supply chain through day-to-day use.
GP was talking like this alone was gross negligence, implying that this is different from the rest of the industry. That doesn't seem to be the case.