The problem is that security making things difficult results in employees resorting to workarounds like running rogue webservers to get their jobs done.

If IT security's KPIs are only things like "number of breaches" without any KPIs like "employee satisfaction", security will deteriorate.