Evil manager from hell: nope, you can still reconfigure the <thing> to use telnet. At least it would be then plain obvious that there is no security, instead of the current security theater with DSA.
The grind of audit requirements tends to mean those managers are a lot more willing to do the right thing now – it’s less risk than putting your name in writing on the thing which the auditors / insurance company will be using to fail you.
Yes, or telnet. My point was that it used to be that random acts of management/ BOFH were more common because they could play politics out of consequences; now that lots of people have insurance or regulatory checks, that’s harder to do. That paperwork might not be the most efficient way to do it but it does at least produce a slow grind forcing the business people to pay attention to problems they used to ignore.