Security compliance requires all sorts of "invasive" tooling to ensure your client workstations and servers are "safe". Sadly it's mostly a checkmark and often times has dated and arbitrary requirements. As far as I know CrowdStrike was one of the easier ones to setup albeit expensive.
A. Doing security is expensive and viewed as a cost burden at a lot of non-technical focused companies. Lots of businesses hedge their bets hoping that a security incident won't be as expensive or detrimental as having a great security posture. Sadly often times they aren't wrong either.
B. Security compliance standards are dated and opinionated, requiring rigid solutions to complex ever changing security threats.
Both of those can drive the narrative of pushing for tooling that offers the least amount of resistance to implement and be able to claim "secure".
Additionally IT and Operations teams are constantly getting more duties and can be some of the first teams to get rightsized and viewed as "cost centers" in some companies. I've seen teams reduced 50-80% over the years with expectations higher and security compliance becoming the last on the list and then gets the least amount of energy and attention.
