Well, no it's not an outdated attitude -- corporate security is about mitigating risk, not eliminating risk, and part of that mitigation is preventing unmanaged devices from connecting to the corporate "trusted" network through NAC policies -- if your device doesn't pass the NAC check, it's not getting on the network, either let IT manage your device, or you can connect to the guest network.
Corporate security may be about mitigating risk, but IT is about providing services. It shouldn't be security's call to remove a service from the portfolio because they don't want the risk. Your job is to provide the service with as little risk as possible and to provide guidance to the rest of IT. Not allowing BYOD because in the name of security is like wiping everyone's hard drive in the name of security. Sure, you have reduced risk, but also crippled the system.
Most companies already treat insiders as threats, so BYOD on the corporate network isn't any additional risk. If you don't, then that's the outdated attitude I was referring to.
I know an AUP isn't security. I brought it up to say that they only require an AUP, meaning that no additional security precautions are taken.
The "hold you responsible" comment wasn't very clear, sorry about that. What I really meant was that if you are denying functionality then there better be an associated benefit. So, the eventual end of that logic is that if you take an extreme position of "all devices on the network must be controlled by me", then you should be held to an equally extreme consequence of "well, then everything is your fault - not professionally - personally". If you want to only bear professional responsibility then you should have stopped at "here is what it would cost to secure a BYOD environment" and not progressed to "No BYOD here.".