Yes, finding the right balance in the CIA triad is the challenge. Ultimately, if the consumer of the IT services can't use it, then all the security in the world is for not. Worse yet, it forces some users to bypass IT altogether with "shadow IT" so they can get work done. This itself adds even more vulnerabilities to the network. Sometimes the devil you know is better than the one you don't.