Windows is truly dead on the cloud and has been for a decade. The only thing people use it for is self hosted exchange, and file servers and active domains - legacy stuff.
(And the Java people all work for banks, and ride the train. Even though they're really well paid, they don't own the company, and don't get allocated parking spots in the bank's CBD offices...)
Probably an awful statistical analysis, but it's a common enough thing here I've heard other people talking about it...
Oh yeah, and iPhones. We have those - not complaining, really, but those were sold internally as "it looks better if we have those premium phones and not old junk". Ah well...
I've seen this happen too in predominantly Linux shops. In the early 2000s Microsoft worked hard to cultivate relationships with future IT leaders and those relationships have a way of enduring. Even if your CIO can't get everyone onto Windows they might still find a place for Office 365 without much time spent weighing up the alternatives.
Big difference, IBM representatives actually knew their stuff. Microsoft would rely on its enterprise sales guys to cultivate this relationships, pushing CTO to make the most stupid decisions and using system engineers to sugar coat and hide the details.
I remember one being told off by a sales person when saying “yes, it’s a bug” in one of these sales pitches.
Now you can get after the actual interesting problem of intellectual property theft and corporate espionage. Things which the firewalls of old did nothing to prevent but provide a layer of obfuscation.
Your concern about rampant malware won't even matter because the only way people can access the web services is through the VMs. The thin clients and physical workstations won't even be able to access most of those services that are mission critical.
In the situation where a company provided physical workstation is necessary, that machine would be just as isolated from the internal network as anyone else. Developers can use one of those, or use VMs that are VLAN'd off. And if your developers are automating their builds and containerizing, then your developers are going through layers of services and automation before their code goes out to production, so even they won't need access to production environments from their relatively insecure dev laptops.
They need access to a few webfrontends and be able to use their SCM server...
But in order to do that, they'll have to be able to test locally or have a really hardened access to their servers. Significantly harder than just forcing everyone on company hardware without root/admin access
That is extremely rare at larger b2b enterprises
We still restrict web access to company managed machines but it’s a layer, not an essential boundary.
Thats like 10 years of projects right there
There are some things I do like about C# and .Net ... the culture is rarely one of them. Though I still prefer it to Java for the most part.
If you can target at least 4.7.1 you can use configuration builders  to use environment variables/json/cloud parameter stores/etc to modify legacy web.config or appsettings without code changes. You can also use the .Net core config libraries directly in legacy .Net apps if the devs are willing.
We all hear about the exciting engineering projects and stories coming out of Facebook. But the IT side of their org is held together with various off the shelf enterprise products and Windows stuff.