I personally use a company phone for everything, but I also manage security on it to MY standards, they don't always sync up with corporate standards.
This greatly simplifies the problem. This is what alot of the security arguments do, in my experience. They ignore human nature, and often business needs. There is a right way to do things, but there is always a balance. Even ignoring that balance, and insisting everything is done right, will often get bad results due to ignored externals.
Even these systems that are not connected to the internet suffer the internet effect. How hard would it be to publicize an exploit like this in 1984?
..if their department engineers are sitting in on an interview, who's cost is that?