[fiedzia]

>You do have a single point to enforce everything: code

"code" usually is made of many smaller parts, what will keep those in sync to enforce anything? You are placing a burden on a developer (even more likely - on a group of developers), that just doesn't work in practice.

> And any company that allows users to make direct changes to a database without going through some security layer is pretty incompetent

Sure. But without schema at database level, there is no "security layer" to rely on. And you will eventually need to make a change that cannot be done via UI.