USB has been a classic attack vector for local attacks forever. I have used them on red team social engineering engagements for a long time. An few innocuous auto run usb thrown into a few machines will be all you would need to compromise an internal network easily. The pint is you can harden physical security and a big part of that is disabling usb (physically if possible)
True. We tend to use things like inline keystroke loggers on keyboards these days for socials engineering gigs. You can also just convince people to run your stuff by giving it intriguing names (e.g. Q4 layoffs). Excel sheet, exe... etc :)