Security is about business enabling. We're here to help the business work efficiently, not to get in the way. Feature X might work nicer than Feature Y, but Feature X presents an unacceptable risk to the business. Users are going to demand Feature X even still. It's security's job to present these risks and it's up to the business to accept them or not.
Policy is what you're talking about, and solid enforcement. If you don't have a way to ensure people are adhering to the policy, you're in a world of hurt because yes, they will do whatever they can to get the features they want.
There is truth in this, and always some tension between users and IT/corporate security.
But the bottom line is that the machines are there for work, and a single security problem caused by a single careless/uneducated user can cause devastating consequences for the organisation as a whole, so I find myself increasingly taking the IT guys' side on this one.
Put it this way: the employee who wants to install Chrome because it's their favourite browser or to bring their own device because they don't want to carry a second company one probably isn't the employee who's going to get paged at 3am and then spend all weekend reinstalling clean images on compromised machines if there's a security breach, nor the one who is going to have to explain to senior management why the company has lost $6M this week due to downtime because the recovery had to happen during business hours.
So unless the user wanting to break the rules is willing and able to underwrite all potential losses to the employer, which they aren't, it is perfectly reasonable to not only restrict what they can do with the employer's systems but also to penalise them severely if they try to circumvent those rules.
This is an oversimplification and the type of thinking that gets IT labeled as nothing more than a business cost center. IT shouldn't just be limited to preventing downtime and making sure things continue to work. It should also be focused on making employees more productive. You might say allowing Chrome cost the company $6 million due to downtime, but are you factoring in the potential losses from having a more draconian IT policy. For example, how much more productive would employees be if they could automate part of their normal workload with a good browser extension or how does a more employee focused IT policy alter employee moral and in turn employee retention?
Of course I was oversimplifying, and of course any good IT department recognises that that its job is to help other people do theirs. I did start by acknowledging joelthelion's point, and I have no problem with the idea that someone who has a genuine business need to do something outside the normal rules should be able to request a reasonable exception to whatever general policies might apply.
However, you need an awful lot of indirect benefit to make up for one screw-up that breaches corporate security, particularly if you work in a regulated industry like healthcare or finance. Lawyers and industry regulators don't care about any goodwill you got from letting Bob bring his own laptop to work if Bob's laptop was subsequently left on a train opening access to thousands of customers' medical records or credit card details. You could probably have fired Bob and hired an entire team of other people who didn't care about using their own laptop with the money you're instead paying as a fine for that one, though perhaps not so much if the business collapses due to the adverse PR and an executive or two gets thrown in jail for negligence.
Policy is what you're talking about, and solid enforcement. If you don't have a way to ensure people are adhering to the policy, you're in a world of hurt because yes, they will do whatever they can to get the features they want.