IP whitelisting and port knocking are not serious security methods. They're the very-poor-man's version of a VPN and access control policies, and they're not secure.
You are talking about organizations that have GPG private keys used for signing laying around and those that have Jenkins exposed to the outside world.
Dynamic IP white listing and port knocking are perfectly adequate for 99.9% of the organizations.
Dynamic IP white listing and port knocking are perfectly adequate for 99.9% of the organizations.