You may have been in IT for 20 years, but you haven't worked at a level that gives you much exposure to security, clearly.
"Data breach from lack of encryption" is a common problem. From a legal standpoint, data on an unencrypted laptop must be assumed leaked if the laptop is stolen or lost. So when HR loses a laptop and has to buy the whole company credit monitoring - that's an expense saved by FDE. The problem is much worse if you have customer data or data worth stealing.
Is one lock enough? Fuck no. The principle of defense in depth exists for a reason. Because in the computer world locks are constantly being picked and break for no reason. You need multiple overlapping (not identical) security measures or you are already owned.