That man constitutes the largest IT security risk is an established truth. A user who wants to make changes to their computer needs admin rights, but extended rights increase the risk of mistakes, intrusions, malware and other security problems.
Many organizations choose to accept this risk to maintain user flexibility. Others lock down the computer and require that the IT-department is also involved in simple changes with longer lead times and increased workload as a result. Either way, it’s not optimal.