The usual problem are systems that are intentionally connected to both networks, and after compromise happily serve as points to enter the inner network.
‘Arm Waving’ Response to Hackers Makes Oil Industry Easy Prey
Everyone from the facility managers to the private equity owners assumed that the plant’s computer network was “air-gapped” -- a term referring to computers that aren’t connected to the internet or another unsecured network. But when Mission Secure installed monitoring devices to check, they discovered that a worker on the night shift was connecting his Roku device to the internet to watch episodes of “CSI: Miami.”
Everyone from the facility managers to the private equity owners assumed that the plant’s computer network was “air-gapped” -- a term referring to computers that aren’t connected to the internet or another unsecured network. But when Mission Secure installed monitoring devices to check, they discovered that a worker on the night shift was connecting his Roku device to the internet to watch episodes of “CSI: Miami.”
https://www.bloomberg.com/news/articles/2021-05-12/colonial-...
So stuff like this wouldn't happen.