It'd definitely be a plus if the IT department was set up to handle things at all levels. Unfortunately, a lot of the time they're only funded enough to look into a minimum set of solutions, and only solutions which tick all the big-app boxes (the reasoning being that something with a bazillion functions which can be rolled out to a thousand users must have a better ROI than something with fewer functions used by fewer staff).

It is possible to turn this around and get the IT department revamped in the way you want, but it generally involves a lot of gentle pressure from the staff, a lot of patient quiet arguing for the additional funding and smaller, faster ROIs, and one or two successful small projects which show that operating on the smaller level won't cause problems for the company infrastructure as a whole.

There's also the issue of opportunity. Someone who knows a cheater is more likely to be introduced to the concept of "playing in a slightly different way", and may not actually realize what they're doing won't be looked on beneficially by others until they're labeled a cheater themselves. People who don't have any contact with cheaters are less likely to have cheaty methods of interaction pop up on their radar.

It's not really all that surprising that cheating - like any other human activity or idea - can spread from human to human. Particularly when there are no memetic defenses in place against copying a particular action.

The worst company pretended that they could design a system where they could pretend to trust their employees.

I think I may have worked at this place's spiritual cousin. Everyone knew everyone else's passwords, and regularly logged on as other people. The IT budget was pretty much nonexistent, and the few massively-overworked people in it struggled along lashing things together with baling wire and spitballs. The CEO refused to pony up for volume licensing for anything, so every workstation had its own set of license keys. Email archives were stored ON THE WORKSTATIONS. There was no SOE. There wasn't even a corporate workstation image. The hardware was so heterogeneous that the first thing to do when the company bought a new laptop or desktop was to jump on the net and see if there were even drivers available for whatever was in the case. THE CEO wouldn't pay for upgrades unless it was actually stopping (not merely slowing) an employee's ability to do work. Some machines had Win7/Office 2010. Some had XPSP1 and Office XP. Antivirus was not administered centrally - some machines hadn't been updated since the Jurassic, and none of them had internet access to pull down even AV database updates, let alone new engines.

There was a Microsoft domain... on some of the machines. Others were physically on the network, but had no domain access and their users had no user objects. Group Policy was a joke. And pretty much everything in the whole infrastructure was like this.

They turned over seventy million in profit a year. Rumor had it that most of this went into the CEO's yacht.

If we want the power to say "No" to users who are doing unsecure things, we have the corresponding responsibility to provide an easy-to-use substitute in a reasonable time frame.

To an extent. If there's a user demand for a function, ability, or service, they can ask IT to provide it. IT can then research what's available, what will work with the current systems in place, and what will be maintainable, secure, follow any legal requirements, be thoroughly tested even with edge cases, and so on and so forth. IT then summarizes its findings to management if there's more than one possibility.

Only sometimes, there are no possibilities within the current budget. While in IT it is always an option to have a custom solution created from the ground up, these cost money (as well as development time). And if management says they're not willing to spend that money, then it's not IT's responsibility to slap together some dodgy hack by next week just because it would be convenient for Joe Blow.

In those cases, IT really needs to go back to the users and say "Management has decreed that they are not willing to buy this functionality at this time. If it's really an issue, talk to your managers."

Of course, management needs to know that they can't just go to IT and proclaim "Pull free magic out of your ass!"

So I made my own using VBA and a SQL server in about a week.

The difference is that the IT department is there to provide solutions which work for all users, which have been comprehensively tested to make sure they don't screw up any other parts of the SOE, and for which assistance is both provided and budgeted. You don't need that - you just need something slapped together which does one particular thing in one particular circumstance for you.

Metaphorically, the IT department is in the business of building custom forklifts which comply with all relevant safety legislation, hook into the company methodologies, have training and documentation and maintenance contracts, include theft-proofing, and are part of the asset register. You want a crowbar.

I suppose every company's IT departments have combed through all of those products' source code to make sure there aren't any backdoors or trojans...

The industry as a whole has.