I'm quite certain that my experience is more representative than what yours is, but maybe I'm being cocky.
I'm in a position to deal usually a half dozen companies at a given time each operating on average 3 or 4 datacenters each, at scales up to about 30,000 servers a site down to some that have like a closet with not even a full rack of equipment. As I said, it's *rare*, but it does happen *and* has been a source of compromised lists when they kicked off a big internet scan a little over ten years ago. I don't know why you would insist that *no one* accidently DHCPs a shared NIC BMC onto a network it shouldn't belong to, and that some even go so far as those to be routable. It's not about how many *you* operate, it's about the number of different operators. Whether you manage 10 or 100,000, of *course* your policies are going to be consistent. And it may sound 'cheap', but no way I can name and shame companies specifically.
Reachability of whatever addresses you are using, and the security of the services exposed on those addresses are.
Part of the issue were the servers showing up in scans made by completely unrelated, unprivileged people. They were hitting up address ranges and coming up with large numbers of IPMI reacting devices at the time.
RAs being enabled is strange, because every router we use for datacenter terminations requires it to be explicitly enabled on an interface.
Not everyone is disciplined, and some guy might have an "initiative" and enable a feature and then leave. Yeah, that sounds terrible, but a lot of places are way messier than they should be. There's a *lot* of datacenter operators and they mostly have a habit of thinking theirs is the only way to do things and somehow all doing things differently from each other.
The fix for that is to setup an entry in whatever your OS' hosts file is pointing at localhost that way the Host header is populated with the name rather than the address.
Well, maybe not host, but referer, bmcs are pretty used to the name or address making no sense to them. It's about the port number not being '443' or implicit that sometimes trips up some equipment in the referer header. Particularly if they *kind of* made some referer checking in the name of CSRF protection, but often get too picky.
ssh -D 4343 is all you need to get a 'localhost' socks5 proxy, and the only thing that I need to access remotely rather than through SSH CLI is the web interface, and with SwitchyOmega or FoxyProxy, that's utterly trivial to do and very well supported. Some vendor tools may not be able to cope with that, but either they can live in same vlan during operation or screw them, they aren't really that great anyway.