It depends on the management. I worked in an IT group that basically had no power over anything. It got to the point where we put together a report for the executives which basically was an ultimatum. It stated they could spend roughly $2 million dollars implementing some much needed network security OR when an event happens (and they will) they can spend upwards of $100 million trying to do damage control. All our numbers were based on reports published by other companies who had data breaches. Thankfully the execs were smart enough to get on board.
Eh.. That is a very 'large company' mindset.
Most of these situations (with unfiltered internet, spyware, users installing apps whenever they want) is a result of no (or lacking) computer usage policies. This is usually due to IT management getting steamrolled as the company grows.
Here's a brief example:
Company is formed, 10-15 people. As they get up to 25-30 employees they see the need for an IT guy. Most of the time one of the other employees fixes desktops on the side, has his/her own home network and etc. They are usually volunteered to the be IT person 'for now' since they know more than anyone else working there about IT.
Ok, now the company is growing. 50, 60, 100 users. They still have the same IT guy (who is usually relying on consultants who are fine with the craptacular network since they're getting $140/hr to show up a few times a week). These companies have no internet filtering, SMS, or anything else. The IT guy has no other IT experience which makes it tough for him to leave. The owners only know what they're told by the IT guy (which unfortunately is usually "Everything is perfect!") and thus he's never replaced. It's really difficult to get owners/upper management to realize they've been hanging on by a thread until one of these disasters happen.
This usually keeps on until there is a MAJOR catastrophe which shows just how poorly things are setup. Sometimes it's at 100 users, sometimes it's at 10,000.
Facebook
Twitter