Rethink Remote Access: Stephen Hope’s Advice
Policy is not hard to adapt - getting users to stick to policy is the hard bit.
What you may be missing is that policy is often compromised because remote access has to work reliably in the real world for all the users.
Convenience and utility are the only things that make using remote access worthwhile, and the user base is heavily biased to people who will not put up with issues if they do see the security tradeoff as needed- and have the clout to change a policy they do not accept.
Finally logistics get in the way as well.
If you want to alter setup for all your users, you need to either deploy the changes remotely (and risking trashing the service for someone who can fire you for doing it), or catch up with them all and fix it locally.
Right now we have users wandering in maybe 50+ countries......