The question is usually a bit more complex, such as "should we rip out thousands of readers and gates in our buildings, or can we maybe get away with switching to hardened cards using the same protocol for a few more years".

Not that I'd recommend it, but in most companies, physical security doesn't have a limitless budget just like everything else.