Organizations need both. No, we don't want developers experimenting on a production server, but they do need a sandbox where they can try whatever comes to mind. Whether that's a "real" dev server or a locally installed instance, they need that freedom.

In my view the 'lock it down' mentality often comes from a desire to avoid problems than a true desire for security. Very common for PC support people to do the same - don't let users change things like screen resolution because it might break something!

Security is serious stuff and shouldn't be dealt with lightly. But at every step we must also make sure our customers (the ones that pay and the ones that develop) can get to the data they need.