On port 80 it could be that they want to avoid issues with privilege ports. A good chunk of people will just run everything as root because it fixes the privilege port issue. I simply have our Ops team to configure authbind through Salt so that whatever user need to run the services can have access to the privilege ports required.
In all honesty if your application is not listening to the outside world directly, avoid using the privilege ports indeed. Your firewall/load balancer will get the port 80/443 requests and forward them to 8080 or 8443 (or whatever) for you. You can always configure nginx to listen on the privileged ports and do local forwarding.
I've had to deal with some pretty stupid secure configuration decisions such as:
- switch ssh to port 22222 so it is harder to find in case of attacks
- remove the telnet client from the linux machines because "telnet is insecure"
Cloud services are here to stay, and if you try to block them you will end up with your users going around your walls: block Box for file sharing and they will share with something shady you never heard of
Disclaimer, I work for Skyhigh Networks.