Security is challenging to get right. It's always a complex balancing act between what users want and what administrators need. Between placing the server in a hermetically sealed container with no cables running the outside world, and setting the server up on the busiest street corner in town with an already logged-in administrator account pulled up on the attached monitor. Depending on the O/S update policy in practice at your company, that last example can be roughly the equivalent of connecting your server to the Internet.
A client of Jim's with a WordPress site had been having performance issues that were off the scale bad. Slower then a snail on Valium. Slower than a herd of turtles rampaging through a molasses factory. Worse than that, the actual in-browser rendering was taking significantly longer than any benchmarking tests would lead you to believe. Even massively loaded benchmark tests had a better rendering time. And the client's browser's weren't massively loaded.