I've worked wholly in life insurance companies. The difference is how much autonomy directors/managers/employees are given with respect to their tools. In the worse case I've seen, you have to route every equipment request through both IT Help Desk, System Security, and your manager. It would be sad if it weren't so funny. Office Space is real. The best example I can see is that as developers, we are still given a machine without admin rights. They set a group policy for every user in the organization with a laptop; whenever you connect to their network, the policy changes your power settings so that closing your laptop does not place it into sleep mode. This has cost me hours of time. I close my laptop expecting it to "just work, i.e. stop draining battery like a sieve" like any other consumer product, but because some executive didn't like having to log back into their laptop when they closed it, the entire organization is forced to use that setting. So every time I use this laptop, I have to remember that closing the laptop does not induce sleep, and before I close the laptop, I have to remember to press the crescent moon button! It's silly compared to how well my personal devices work.

Another is a request for a purchase of a license of $50 software. We can't even purchase the software and install it ourselves. It has to be vetted for interference for dozens of other apps, even though we need it for development and don't run any of the apps that they're testing. It cost me lots more time than $50...

The root of the problem seems to be that there is no cost accounting for anything related to IT Security. Seemingly anything that could increase security seems like it is fast tracked for implementation. Instead of weighing the NPV impact to the company by implementing this system, they just go with it. There's so much opportunity to teach decision makers to think more quantitatively, but at organizations where things like this are allowed to fester, there's always larger issues with leadership at the top.