John,
In most cases the IT folks are not the one making the final decision. IT security will often warn the business that certain critical systems are exposed. Either IT communicates poorly or the business thinks a strongly worded contract is "risk mitigation".