I've seen so many security disasters caused by "IT professionals" who are just focused on enforcing security policies. My favourite example was a major client who spent months trying to get their IT security division to play ball on a project, but every effort proved fruitless - the firewalls and network security policies were there for a good reason, dammit, and they weren't prepared to compromise on security.
Faced with pressure to get the project completed, the project team ended up plugging in heaps of 3g modems all over the site, to allow network connectivity to the systems they needed external access to. This access went in with no network-level access controls or firewall, and to the best of my knowledge they're still there, years later.
Would I have done that? No. I would have resigned first. But these people had jobs and liked keeping them, and faced with the certainty of a failed project, or the possibility of someone (probably not them) taking a fall over breaching security policy, they went with whatever got the job done. The project manager met his KPI, the team got to move on to other projects, and security got to feel smug because they kept their network security policies intact.
I saw the whole debacle happen (and I've seen plenty of similar situations over the years), and in my opinion it's been a failure of the security team just about every time. Facing a choice between:
a) Enabling engineers to solve business requirements while ensuring there are effective and well-managed security controls, or
b) Enforcing security as a top priority, with little regard for the requirements of other business divisions,
security teams often just go with option b. They pretend the inevitable workarounds aren't their fault.
Every time they say "yes" to something which increases security risk, the security team risks something going wrong - but every time they say "no" they risk people coming up with their own work-around instead. Security teams should be enablers - finding ways to secure what needs to be done. Once they become known as deniers, they'll just end up fighting an adversarial battle with their own colleagues. That doesn't result in effective security.