I agree with your points. However, the challenge of incorporating the corporate networking security protocols is daunting. The Facilities fiefdom disallows anyone but Facilities touching, well, facilities. The service contracts do not allow for anyone but the service personnel to touch the control systems, in most instances. I like the idea of a front end, but unless the service personnel can reach their systems from their 50 year old control systems, they will void the contracts. And as soon as you mention VPNs or encryption or air gapping - you risk losing all support for the critical systems (I'm speaking mostly from experience in supporting production pipelines in labs). What is needed is a full rethink of ownership of these systems, and buy-in and new contracts. And, lotsa new people.