I hear zero-trust is a trendy buzzword at the moment, so let's apply the basic idea here: having a hard shell and a soft and chewy center is not a security posture that works, in practice. You need to harden at every level. RMM uber-admin credentials are the ultimate soft center: you compromise those, you can kill the entire IT infrastructure. The only alternative is to distribute access: have multiple smaller IT teams that adminster small parts of the system, with more 'central' roles providing services but not having full control of most machines. It's not a fun option, but it might also work a lot better if each team can actually adjust policies for the environment they're working in as opposed to trying to have one completely unified policy for an entire multi-thousand employee company. And, for critical systems, I would seriously consider the wisdom of having a remote 'wipe and reformat' button at all.
At a bare minimum, your backup systems should have a completely disjoint set of credentials to your main systems, stored and controlled differently, ideally by a seperate team, if you have the resources.
(And the arguing becomes a problem when IT ceases to consider their job to be solving problems for users within some constraints, and just starts to consider their job to be enforcing those constraints. This also mixes badly with incompetence, which tends to turn everything into a tedious tick-box exercise that neither improves security nor solves user's problems. It's not a good time to have an IT department that can't resist any new security checkbox a vendor offers but can't figure out how to work any of their fancy tools to make life even the slightest bit smoother for their users)
Everyone doing it doesn't make it a good idea. The big tech companies and governments are I think a little more paranoid about rouge admins, so they do at least try to limit the blast radius of any given credential, but almost no-one else has that level of maturity, which creates this pretty big chasm in the resiliance of IT organisations as you go from small to large.
(There's also a certain irony about IT complaining that a change to improve security would mean they can't do their job as easily)
I think you do not understand what a massive undertaking even securing a tenant in GSuite or Office 365 can be. Plus networking. Plus end user computing.
On top of this you want companies and governments to make their own tools?
You have a vision... of something zero trust. Now make it and implement it. Oh, not so easy?
S3 buckets used to be open by default. Office 365 had MFA as optional for a looooong time. So things are improving.
At a bare minimum, your backup systems should have a completely disjoint set of credentials to your main systems, stored and controlled differently, ideally by a seperate team, if you have the resources.
(And the arguing becomes a problem when IT ceases to consider their job to be solving problems for users within some constraints, and just starts to consider their job to be enforcing those constraints. This also mixes badly with incompetence, which tends to turn everything into a tedious tick-box exercise that neither improves security nor solves user's problems. It's not a good time to have an IT department that can't resist any new security checkbox a vendor offers but can't figure out how to work any of their fancy tools to make life even the slightest bit smoother for their users)