Not true. If your production environment is set up correctly, you have a development, test and production setup. Dev and test guys don't get to touch the production stuff. I've been doing that for around 30 years. No problem. Those that don't, problems.
Let's be real here. Most companies don't care about security. For windows most of them will do the updates. For Linux, Solaris, (your favorite brand Unix) - often never. They forgetaboutit. Even then, almost all the time it's the windows box that gets hacked. Companies don't think it's worth the expense to hire good security guys. Often that's all the way down to their lobby.