From my experience I would say that there may be different factors:
- Every developer is an exception
- IAM is challenging to scale
- Lazy IT Teams?
- Visibility of access controls are poor
Some useful references:
- https://sysdig.com/blog/identity-access-management-difficult...
- https://www.effectiveiam.com/why-aws-iam-is-so-hard-to-use
- https://aws.amazon.com/blogs/security/iam-access-analyzer-ma...