You have to think about it like this: the average skill level of engineers at a large company will always move to the true average across all engineers outside the company. This means they have engineers that don't know what they're doing, and there's not much they can do to prevent it. The average "security" skill level is very very low, and even people who are good at it make huge mistakes constantly.
If you accept that, then it makes sense to spend time and money on preventing people who don't know what they're doing from hurting everyone else. It is therefore essential that mitigations like this are applied, even though if everyone did their job perfectly, they would not be necessary.
I work on this team. We host Netflix compute that while "internal" processes requests from Netflix users and the internet. We use industry standard frameworks and technologies in our workloads. All software ends up having security incidents. We have this lower level security to protect ourselves if the higher level technology has temporary security problems.
Anyway really good stuff.