It's not necessary: it's just convenient or more profitable. There's guards, link encryptors, authenticated networking, and OSS knockoffs of above to either reduce risk of or probably prevent malice from hitting on-site computers.
They're just not applied by most because people paying don't give a shit. Any high-security engineer doing SCADA or site-to-site for big companies will probably tell you so.