Developers have total control over their workstation and "Sandbox" lives there in a VM. Developers have limited rights to the "development" environment where they can test things like deployment process and make some changes. In TEST, they have no rights (can't even login) and in PROD obviously no rights. Patch also often exists and is used by SA's only. I work for a large university where we support a lot of different apps in a fairly heterogenious environment not one or two products like I have in the past in corporate environments, it works well IMO once the developers get the idea that they have to get things mostly right before moving into DEV.
Nature always sides with the hidden flaw.