Often it's more that it is hard to avoid having that account. And management don't see the point in making it so that they need to get two underlings working together to jump through hoops to trace through the whole stack and work out why the camera monitoring the Very Important Customer's executive liquor cabinet was offline when persons unknown emptied it.
For small companies often "devops" is one person, sometimes even one person who also does other stuff. I like to think I've made it difficult for that specific person to get complete control of any specific device that we've sold, but I'm also aware that it takes one bug in one of those devices to undo anything I can do on the server side. All they need to do is get the public IP from my system (which is needed right down to customer service level), knowledge of a bug and bingo... they have control. Especially if the bug is "customer chose an obvious password" .
For small companies often "devops" is one person, sometimes even one person who also does other stuff. I like to think I've made it difficult for that specific person to get complete control of any specific device that we've sold, but I'm also aware that it takes one bug in one of those devices to undo anything I can do on the server side. All they need to do is get the public IP from my system (which is needed right down to customer service level), knowledge of a bug and bingo... they have control. Especially if the bug is "customer chose an obvious password" .