I'm in the same position (IT security at a large corp), with the difference that we're a Google customer. Our email and collaboration suite is Gmail/Drive/Talk/Hangouts. This means we are now recommending Chrome as the default browser on all corporate machines. Keeping Chrome locked down has been a challenge for us and not a week goes by where we don't find that someone has or is planning to attempt to bypass our restrictions by installing Chrome extensions or using web apps that integrate with Google Apps by means of giving them your Google username and password.
Google makes it extremely hard for an enterprise security team to set reasonable restrictions. Our support response from Google is usually "we don't support locking that down" or "we don't have a way to let people access feature X without also allowing feature Y". Make no mistake, Google Apps for Enterprise exists in name only.
The policy in these large IT seems do often be : "don't do anything, it could go wrong". The long term damage is worse but the policy stays because, that way, there is no one to blame (or might be MS for security leaks in IE6 in 2013)
I'm not saying that the issue only came from IT. A well prepared plan that went wrong should be considered a necessary evil.
Security is about business enabling. We're here to help the business work efficiently, not to get in the way. Feature X might work nicer than Feature Y, but Feature X presents an unacceptable risk to the business. Users are going to demand Feature X even still. It's security's job to present these risks and it's up to the business to accept them or not.
Policy is what you're talking about, and solid enforcement. If you don't have a way to ensure people are adhering to the policy, you're in a world of hurt because yes, they will do whatever they can to get the features they want.
There is truth in this, and always some tension between users and IT/corporate security.
But the bottom line is that the machines are there for work, and a single security problem caused by a single careless/uneducated user can cause devastating consequences for the organisation as a whole, so I find myself increasingly taking the IT guys' side on this one.
Put it this way: the employee who wants to install Chrome because it's their favourite browser or to bring their own device because they don't want to carry a second company one probably isn't the employee who's going to get paged at 3am and then spend all weekend reinstalling clean images on compromised machines if there's a security breach, nor the one who is going to have to explain to senior management why the company has lost $6M this week due to downtime because the recovery had to happen during business hours.
So unless the user wanting to break the rules is willing and able to underwrite all potential losses to the employer, which they aren't, it is perfectly reasonable to not only restrict what they can do with the employer's systems but also to penalise them severely if they try to circumvent those rules.
This is an oversimplification and the type of thinking that gets IT labeled as nothing more than a business cost center. IT shouldn't just be limited to preventing downtime and making sure things continue to work. It should also be focused on making employees more productive. You might say allowing Chrome cost the company $6 million due to downtime, but are you factoring in the potential losses from having a more draconian IT policy. For example, how much more productive would employees be if they could automate part of their normal workload with a good browser extension or how does a more employee focused IT policy alter employee moral and in turn employee retention?
Of course I was oversimplifying, and of course any good IT department recognises that that its job is to help other people do theirs. I did start by acknowledging joelthelion's point, and I have no problem with the idea that someone who has a genuine business need to do something outside the normal rules should be able to request a reasonable exception to whatever general policies might apply.
However, you need an awful lot of indirect benefit to make up for one screw-up that breaches corporate security, particularly if you work in a regulated industry like healthcare or finance. Lawyers and industry regulators don't care about any goodwill you got from letting Bob bring his own laptop to work if Bob's laptop was subsequently left on a train opening access to thousands of customers' medical records or credit card details. You could probably have fired Bob and hired an entire team of other people who didn't care about using their own laptop with the money you're instead paying as a fine for that one, though perhaps not so much if the business collapses due to the adverse PR and an executive or two gets thrown in jail for negligence.
It is downright scary how incompetent, indifferent and arrogant most IT organizations are. They are usually run by someone who's background is in procurement (i.e. buying things cheap) or compliance (i.e. lawyer). And if you try to explain something like this to them, they just DO NOT CARE.
Google makes it extremely hard for an enterprise security team to set reasonable restrictions. Our support response from Google is usually "we don't support locking that down" or "we don't have a way to let people access feature X without also allowing feature Y". Make no mistake, Google Apps for Enterprise exists in name only.