[jampekka]

I don't think it's often even about actual security concerns as such but rather about following "best practices" (i.e. what some company sells) so nobody in the org can be blamed when the security fails.

This happens in physical security as well. It's rather common to have door accesses set up so that a person may not have access to go through a door, but can access both sides of the door from other routes. But there was a door-based access policy so nobody is to blame.

Sadly the main concern in many/most organizations is to avoid getting blamed for bad things, so rather than actually trying to prevent bad things, a lot of effort is used to just dissipate the responsibility away.