Most companies that I worked for and which had troublesome remote work setup used the "security by obscurity" approach. The IT there were completely incompetent and the only way they knew to make systems "secure" is to limit outside access. And most of those crippled infrastructures were windows-based.
As usually there were exceptions though.
At my employer the issue is the opposite. They don't value security so they disable all firewalls, encryption, 2FA and everything else in favor of ease-of-use. My concern isn't that people will have a hard time working from home, my concern is that whatever malware they have at home is now also roaming the company network.
Let's dig a huge gaping hole into that infrastructure with a VPN and BYOD. And when it doesn't work, blame IT support for not properly supporting my dusty old Windows XP installation. Sure.
What you want is separation, though for real work it quickly becomes impractical. So there are special rules for something, and suddenly, everybody are running on those not-so-special rules anymore.
IT security is still mostly about people and awareness at this point.
Limiting outside access is not "security through obscurity". That would be something more like "we have a VPN server that gives you full internal access that doesn't even have a password, but no one is going to figure out that we are running it on a non-default port".
