In the real world, I.T. professions need to make exceptions to rules. They need adjustable parameters, and they need the ability to audit the results of these policies. Businesses need to take a more pragmatic approach to security. They need to permit only what is required and trust nothing else. But that does not mean making it difficult to permit what is required.