Security features and policies are two different things. If you can solve a vulnerability with a feature, you do it. Policies are for things that don't have a technological solution, like social engineering. People should lock their workstations, but they don't always. Instead of remarking on how lazy or dumb they are, Microsoft created a solution 22 years ago.
Also, policy doesn't fix this scenario with a shared computer: a malicious employee, instead of logging off after his shift, runs a fake logon screen malware to collect credentials from other users. Those other users may be privileged or, even if unprivileged, have their identities be used as cover in later attacks.