How exactly are they setting this up that it's complex? Isolated VLANs with VPN access are a routine solution to this kind of problem. A decent network engineer would probably have it done before you finish telling him what you want.
(If instead of a decent network engineer, I had to do it, I'd just be finding the password for the switch I hadn't logged into for a year. The configuration would be done about 15 minutes later.)
From my experience, there's a tremendous lack of decent network engineer in those companies (mechanical industry, family business, ...).
Devil advocate: people in charge of IT stuff there are project or support guys, almost never network engineers. Either they don't care about serious security or they simply have no clue on how they should do it. And when they outsource their IT security, they're so bad at choosing that the solution implemented is worst than doing nothing.
When I have the chance to chat with them about those subjects, the common position is almost always "we don't get why the machine manufacturer don't sells us a secured solution".
How exactly are they setting this up that it's complex? Isolated VLANs with VPN access are a routine solution to this kind of problem. A decent network engineer would probably have it done before you finish telling him what you want.
(If instead of a decent network engineer, I had to do it, I'd just be finding the password for the switch I hadn't logged into for a year. The configuration would be done about 15 minutes later.)