A lot of active directory defaults are wildly insecure, even on a newly built domain, and there are a lot of active directory admins out there that don't know how to properly delegate as permissions.
This is true. You are basically one escalation attack on the CFO away from someone wiring money to hackers and a new remotely embedded admin freely roaming your network.