Security consultancy companies need to always point out something that needs to be changed, even though it is not really important to show themselves as useful.

And executives don't have enough tech knowledge to discern between security measures that are actually effective or not, so to avoid risks they just make their tech teams implement it because the consultancy said it should be done

Had a similar situation in my current job, and unfortunately it is not something worth picking a fight with senior leadership for.

Ironically most of these companies allow access from Web Browsers (which are completely controlled by the client).