A number of years ago, I had just started a new job in a leadership role, and I attended a senior leaders discussion, led by the Chief Information Security Office (CISO) of the company. There were various topics being covered, but one had to do with the configuration of the servers, which was a topic near and dear to my heart.
The CISO was talking about how they were going to demand compliance from all appropriate staff that the servers were to be configured in a certain way, with a certain version, etc. in order to have better security in the company. If anyone had a problem with that, then there were other places they could be employed. If necessary, there would be mandatory training...you get the idea.